$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Formal Specifications and Other People's Tech
Search
Marianne Bellotti
September 13, 2019
Technology
0
140
Formal Specifications and Other People's Tech
How do you use formal specification like TLA+ to model real world engineering challenges?
Marianne Bellotti
September 13, 2019
Tweet
Share
More Decks by Marianne Bellotti
See All by Marianne Bellotti
Building Safety Critical Systems
mbellotti
0
180
Killer Robots and Rogue AI
mbellotti
0
16
Five Lies of Modernization
mbellotti
0
19
Interdisciplinary Engineering
mbellotti
0
170
Worst Case Scenario in the Database
mbellotti
0
92
Death of the Trusted Internet
mbellotti
0
130
Debunking Other People's Data Science
mbellotti
0
130
Other Decks in Technology
See All in Technology
通勤手当申請チェックエージェント開発のリアル
whisaiyo
3
470
SREが取り組むデプロイ高速化 ─ Docker Buildを最適化した話
capytan
0
150
子育てで想像してなかった「見えないダメージ」 / Unforeseen "hidden burdens" of raising children.
pauli
2
330
ソフトウェアエンジニアとAIエンジニアの役割分担についてのある事例
kworkdev
PRO
0
280
[2025-12-12]あの日僕が見た胡蝶の夢 〜人の夢は終わらねェ AIによるパフォーマンスチューニングのすゝめ〜
tosite
0
180
AIBuildersDay_track_A_iidaxs
iidaxs
4
1.4k
New Relic 1 年生の振り返りと Cloud Cost Intelligence について #NRUG
play_inc
0
240
ハッカソンから社内プロダクトへ AIエージェント ko☆shi 開発で学んだ4つの重要要素
leveragestech
0
210
AWSの新機能をフル活用した「re:Inventエージェント」開発秘話
minorun365
2
470
『君の名は』と聞く君の名は。 / Your name, you who asks for mine.
nttcom
1
120
20251222_サンフランシスコサバイバル術
ponponmikankan
2
140
AWS運用を効率化する!AWS Organizationsを軸にした一元管理の実践/nikkei-tech-talk-202512
nikkei_engineer_recruiting
0
170
Featured
See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
The SEO Collaboration Effect
kristinabergwall1
0
310
Un-Boring Meetings
codingconduct
0
160
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
45
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
73
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
170
Building Applications with DynamoDB
mza
96
6.8k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.5k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
350
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
110
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Transcript
auth0.com Formal Specification Taming Other People's Tech &
SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0
TLA+ Conf Finding Bugs Without Running or Even Looking at
Code Correctness Proofs of Distributed Systems with Isabelle
WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0
-Inputs -Expected behavior -Legal outputs -Illegal behavior
Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
!! @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk
is about how that still adds a lot of value The more people write specs the faster we all learn
S3 Design Session @bellmar bit.ly/bellmar-auth0
MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy
one from AWS
BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar
bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Identity as a Service
@bellmar bit.ly/bellmar-auth0
Built by other teams
In taking over a service: - Defining SLOs - Evaluating
debt - Studying existing problems and rethinking architecture
EMAILS - validate email - password reset - principal mode
of communication We do logins not emails!
EMAILS - validate email - password reset - principal mode
of communication @bellmar bit.ly/bellmar-auth0
X per hour @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar
bit.ly/bellmar-auth0
LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0
STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU
THINK IN @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
\ 40% → ✅ 41% → ✅ 42% → ✅
43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅
VM 50% VM 20% VM 70%
VM 50% VM 20% VM 70% Test all possible states
to make sure the load balancer does the right thing
40% → ✅ 41% → ✅ 42% → ✅ 43%
→ ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌
Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0
Must always be true: 0 < servers > 10 Goto!
Party like it’s 1979…
LEAVE YOUR PROBABILITY AT HOME
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!
SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0
Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0
Maybe you should turn yourself rather than the puzzle
Anyway… @bellmar bit.ly/bellmar-auth0
x per hour @bellmar bit.ly/bellmar-auth0
One please! @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE
@bellmar bit.ly/bellmar-auth0
Queued → Worker → Sent Has Tokens → No Tokens
@bellmar bit.ly/bellmar-auth0
Queued Worker Sent @bellmar bit.ly/bellmar-auth0
Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0
WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0
Has Token → Deleted Sent → Deleted Deleted → Sent
No Token → Sent @bellmar bit.ly/bellmar-auth0
HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0
JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar
bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Queued Worker @bellmar bit.ly/bellmar-auth0
GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket
LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0
x in [a, b, c] print x “a” “b” “c”
@bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) l = [
] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]
[“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l = [ ] [“a”]
[“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0
A B C then then A B C or or
Steps States @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Alice Bob Oh… that’s easy!
Undesirable -vs- Impossible
Queue Publishers
“SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”
@bellmar bit.ly/bellmar-auth0 WAIT…
1) Make it look like a state machine 2) Define
the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux @bellmar
bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0
Bit.ly/bellmar-auth0
mbellotti
whisaiyo
capytan
pauli
kworkdev
tosite
iidaxs
play_inc
leveragestech
minorun365
nttcom
ponponmikankan
nikkei_engineer_recruiting
cassininazir
kristinabergwall1
codingconduct
danielanewman
marketingsoph
pwiseman
ks91
mza
zakiyama
marktimemedia
inesmontani
pedronauck
![x in [a, b, c] print x “a” “b” “c”](https://files.speakerdeck.com/presentations/6b4a67dca9714ea392f5c653e29489f2/slide_65.jpg){kind=link}
![x in [a, b, c] l=append(l, x) l = [](https://files.speakerdeck.com/presentations/6b4a67dca9714ea392f5c653e29489f2/slide_66.jpg){kind=link}
![x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]](https://files.speakerdeck.com/presentations/6b4a67dca9714ea392f5c653e29489f2/slide_67.jpg){kind=link}
![x in [a, b, c] l = [ ] [“a”]](https://files.speakerdeck.com/presentations/6b4a67dca9714ea392f5c653e29489f2/slide_68.jpg){kind=link}
