Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Formal Specifications and Other People's Tech
Search
Marianne Bellotti
September 13, 2019
Technology
160
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Formal Specifications and Other People's Tech
How do you use formal specification like TLA+ to model real world engineering challenges?
Marianne Bellotti
September 13, 2019
More Decks by Marianne Bellotti
See All by Marianne Bellotti
Building Safety Critical Systems
mbellotti
0
190
Killer Robots and Rogue AI
mbellotti
0
32
Five Lies of Modernization
mbellotti
0
40
Interdisciplinary Engineering
mbellotti
0
180
Worst Case Scenario in the Database
mbellotti
0
110
Death of the Trusted Internet
mbellotti
0
140
Debunking Other People's Data Science
mbellotti
0
130
Other Decks in Technology
See All in Technology
GitHub Copilot app最速の発信の裏側
tomokusaba
1
260
脱SaaS!FDEを支えるプロビジョニングと分離設計
knih
0
300
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
300
2026 AI Memory Architecture
nagatsu
0
250
本当の”仕事”を手放せる未来が見えた
mu7889yoon
0
130
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
2
510
From Prompt Engineering to Loop Engineering
shibuiwilliam
1
220
アジャイルな経理と Claude Code と経営の未来
kawaguti
PRO
3
190
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
cscengineer
PRO
2
160
LayerX コーポレートエンジニアリング室におけるサプライチェーンセキュリティへの取り組み / Supply Chain Security at LayerX Corporate Engineering
yuyatakeyama
3
840
AWS Security Agent といっしょに脅威モデリングをやってみよう
amarelo_n24
1
210
元・セキュリティ学習経験0大学生による業務紹介 / An Introduction to the Job by a Former College Student with Zero Security Training Experience
nttcom
0
160
Featured
See All Featured
Context Engineering - Making Every Token Count
addyosmani
9
980
Heart Work Chapter 1 - Part 1
lfama
PRO
7
36k
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.3k
Become a Pro
speakerdeck
PRO
31
6k
Designing for humans not robots
tammielis
254
26k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
200
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
230
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
450
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
260
Transcript
auth0.com Formal Specification Taming Other People's Tech &
SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0
TLA+ Conf Finding Bugs Without Running or Even Looking at
Code Correctness Proofs of Distributed Systems with Isabelle
WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0
-Inputs -Expected behavior -Legal outputs -Illegal behavior
Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
!! @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk
is about how that still adds a lot of value The more people write specs the faster we all learn
S3 Design Session @bellmar bit.ly/bellmar-auth0
MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy
one from AWS
BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar
bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Identity as a Service
@bellmar bit.ly/bellmar-auth0
Built by other teams
In taking over a service: - Defining SLOs - Evaluating
debt - Studying existing problems and rethinking architecture
EMAILS - validate email - password reset - principal mode
of communication We do logins not emails!
EMAILS - validate email - password reset - principal mode
of communication @bellmar bit.ly/bellmar-auth0
X per hour @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar
bit.ly/bellmar-auth0
LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0
STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU
THINK IN @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
\ 40% → ✅ 41% → ✅ 42% → ✅
43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅
VM 50% VM 20% VM 70%
VM 50% VM 20% VM 70% Test all possible states
to make sure the load balancer does the right thing
40% → ✅ 41% → ✅ 42% → ✅ 43%
→ ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌
Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0
Must always be true: 0 < servers > 10 Goto!
Party like it’s 1979…
LEAVE YOUR PROBABILITY AT HOME
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!
SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0
Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0
Maybe you should turn yourself rather than the puzzle
Anyway… @bellmar bit.ly/bellmar-auth0
x per hour @bellmar bit.ly/bellmar-auth0
One please! @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE
@bellmar bit.ly/bellmar-auth0
Queued → Worker → Sent Has Tokens → No Tokens
@bellmar bit.ly/bellmar-auth0
Queued Worker Sent @bellmar bit.ly/bellmar-auth0
Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0
WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0
Has Token → Deleted Sent → Deleted Deleted → Sent
No Token → Sent @bellmar bit.ly/bellmar-auth0
HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0
JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar
bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Queued Worker @bellmar bit.ly/bellmar-auth0
GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket
LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0
x in [a, b, c] print x “a” “b” “c”
@bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) l = [
] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]
[“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l = [ ] [“a”]
[“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0
A B C then then A B C or or
Steps States @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Alice Bob Oh… that’s easy!
Undesirable -vs- Impossible
Queue Publishers
“SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”
@bellmar bit.ly/bellmar-auth0 WAIT…
1) Make it look like a state machine 2) Define
the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux @bellmar
bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0
Bit.ly/bellmar-auth0