Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Formal Specifications and Other People's Tech
Search
Marianne Bellotti
September 13, 2019
Technology
0
140
Formal Specifications and Other People's Tech
How do you use formal specification like TLA+ to model real world engineering challenges?
Marianne Bellotti
September 13, 2019
Tweet
Share
More Decks by Marianne Bellotti
See All by Marianne Bellotti
Building Safety Critical Systems
mbellotti
0
180
Killer Robots and Rogue AI
mbellotti
0
12
Five Lies of Modernization
mbellotti
0
18
Interdisciplinary Engineering
mbellotti
0
160
Worst Case Scenario in the Database
mbellotti
0
89
Death of the Trusted Internet
mbellotti
0
130
Debunking Other People's Data Science
mbellotti
0
120
Other Decks in Technology
See All in Technology
COVESA VSSによる車両データモデルの標準化とAWS IoT FleetWiseの活用
osawa
1
400
AIエージェントで90秒の広告動画を制作!台本・音声・映像・編集をつなぐAWS最新アーキテクチャの実践
nasuvitz
3
360
AIがコード書きすぎ問題にはAIで立ち向かえ
jyoshise
1
280
Webアプリケーションにオブザーバビリティを実装するRust入門ガイド
nwiizo
7
890
Django's GeneratedField by example - DjangoCon US 2025
pauloxnet
0
160
品質視点から考える組織デザイン/Organizational Design from Quality
mii3king
0
210
Oracle Cloud Infrastructure IaaS 新機能アップデート 2025/06 - 2025/08
oracle4engineer
PRO
0
110
Snowflake Intelligenceにはこうやって立ち向かう!クラシルが考えるAI Readyなデータ基盤と活用のためのDataOps
gappy50
0
280
20250913_JAWS_sysad_kobe
takuyay0ne
2
250
「どこから読む?」コードとカルチャーに最速で馴染むための実践ガイド
zozotech
PRO
0
570
2つのフロントエンドと状態管理
mixi_engineers
PRO
3
160
20250905_MeetUp_Ito-san_s_presentation.pdf
magicpod
1
100
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
246
12k
How GitHub (no longer) Works
holman
315
140k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
GraphQLとの向き合い方2022年版
quramy
49
14k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
850
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
A better future with KSS
kneath
239
17k
Producing Creativity
orderedlist
PRO
347
40k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
3k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
The Language of Interfaces
destraynor
161
25k
Scaling GitHub
holman
463
140k
Transcript
auth0.com Formal Specification Taming Other People's Tech &
SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0
TLA+ Conf Finding Bugs Without Running or Even Looking at
Code Correctness Proofs of Distributed Systems with Isabelle
WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0
-Inputs -Expected behavior -Legal outputs -Illegal behavior
Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
!! @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk
is about how that still adds a lot of value The more people write specs the faster we all learn
S3 Design Session @bellmar bit.ly/bellmar-auth0
MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy
one from AWS
BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar
bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Identity as a Service
@bellmar bit.ly/bellmar-auth0
Built by other teams
In taking over a service: - Defining SLOs - Evaluating
debt - Studying existing problems and rethinking architecture
EMAILS - validate email - password reset - principal mode
of communication We do logins not emails!
EMAILS - validate email - password reset - principal mode
of communication @bellmar bit.ly/bellmar-auth0
X per hour @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar
bit.ly/bellmar-auth0
LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0
STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU
THINK IN @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
\ 40% → ✅ 41% → ✅ 42% → ✅
43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅
VM 50% VM 20% VM 70%
VM 50% VM 20% VM 70% Test all possible states
to make sure the load balancer does the right thing
40% → ✅ 41% → ✅ 42% → ✅ 43%
→ ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌
Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0
Must always be true: 0 < servers > 10 Goto!
Party like it’s 1979…
LEAVE YOUR PROBABILITY AT HOME
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!
SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0
Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0
Maybe you should turn yourself rather than the puzzle
Anyway… @bellmar bit.ly/bellmar-auth0
x per hour @bellmar bit.ly/bellmar-auth0
One please! @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE
@bellmar bit.ly/bellmar-auth0
Queued → Worker → Sent Has Tokens → No Tokens
@bellmar bit.ly/bellmar-auth0
Queued Worker Sent @bellmar bit.ly/bellmar-auth0
Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0
WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0
Has Token → Deleted Sent → Deleted Deleted → Sent
No Token → Sent @bellmar bit.ly/bellmar-auth0
HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0
JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar
bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Queued Worker @bellmar bit.ly/bellmar-auth0
GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket
LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0
x in [a, b, c] print x “a” “b” “c”
@bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) l = [
] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]
[“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l = [ ] [“a”]
[“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0
A B C then then A B C or or
Steps States @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Alice Bob Oh… that’s easy!
Undesirable -vs- Impossible
Queue Publishers
“SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”
@bellmar bit.ly/bellmar-auth0 WAIT…
1) Make it look like a state machine 2) Define
the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux @bellmar
bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0
Bit.ly/bellmar-auth0