Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Formal Specifications and Other People's Tech

Avatar for Marianne Bellotti Marianne Bellotti
September 13, 2019
Technology
0
150

Formal Specifications and Other People's Tech

How do you use formal specification like TLA+ to model real world engineering challenges?

Avatar for Marianne Bellotti

Marianne Bellotti

September 13, 2019
Tweet

More Decks by Marianne Bellotti

See All by Marianne Bellotti
Building Safety Critical Systems
Avatar for Marianne Bellotti mbellotti
0
190
Killer Robots and Rogue AI
Avatar for Marianne Bellotti mbellotti
0
27
Five Lies of Modernization
Avatar for Marianne Bellotti mbellotti
0
23
Interdisciplinary Engineering
Avatar for Marianne Bellotti mbellotti
0
170
Worst Case Scenario in the Database
Avatar for Marianne Bellotti mbellotti
0
100
Death of the Trusted Internet
Avatar for Marianne Bellotti mbellotti
0
140
Debunking Other People's Data Science
Avatar for Marianne Bellotti mbellotti
0
130

Other Decks in Technology

See All in Technology
「捨てる」を設計する
Avatar for kubell kubell_hr
0
410
AI時代のシステム開発者の仕事_20260328
Avatar for 閃利㈱河村 純 sengtor
0
290
Phase05_ClaudeCode入門
Avatar for overflow ,Inc overflowinc
0
2.4k
脳が溶けた話 / Melted Brain
Avatar for Keisuke69 keisuke69
1
1.1k
韓非子に学ぶAI活用術
Avatar for tomfook tomfook
3
1k
私がよく使うMCPサーバー3選と社内で安全に活用する方法
Avatar for KintoTech_Dev kintotechdev
0
130
GitHub Actions侵害 — 相次ぐ事例を振り返り、次なる脅威に備える
Avatar for GMO Flatt Security flatt_security
8
5k
Phase02_AI座学_応用
Avatar for overflow ,Inc overflowinc
0
3.2k
Phase03_ドキュメント管理
Avatar for overflow ,Inc overflowinc
0
2.8k
ADK + Gemini Enterprise で 外部 API 連携エージェント作るなら OAuth の仕組みを理解しておこう
Avatar for Kaz kaz1437
0
220
AWS Systems Managerのハイブリッドアクティベーションを使用したガバメントクラウド環境の統合管理
Avatar for Toru_Kubota toru_kubota
1
180
ThetaOS - A Mythical Machine comes Alive
Avatar for Martijn aslander
0
210

Featured

See All Featured
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
440
The innovator’s Mindset - 
Leading Through an Era of Exponential Change - McGill University 2025
Avatar for Jean-Marc De Jonghe jdejongh
PRO
1
140
What Being in a Rock Band Can Teach Us About Real World SEO
Avatar for Ade Holder 427marketing
0
200
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
94
The Curse of the Amulet
Avatar for Matthew Lei leimatthew05
1
11k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
300
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
71k
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
480
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.4k
The AI Search Optimization Roadmap by Aleyda Solis
Avatar for Aleyda Solis aleyda
1
5.5k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.8k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
75
5.1k

Transcript

  1. auth0.com Formal Specification Taming Other People's Tech &

  2. SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0

  3. TLA+ Conf Finding Bugs Without Running or Even Looking at

    Code Correctness Proofs of Distributed Systems with Isabelle

  4. WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0

  5. -Inputs -Expected behavior -Legal outputs -Illegal behavior

  6. Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0

  7. @bellmar bit.ly/bellmar-auth0

  8. !! @bellmar bit.ly/bellmar-auth0

  9. @bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk

    is about how that still adds a lot of value The more people write specs the faster we all learn

  10. S3 Design Session @bellmar bit.ly/bellmar-auth0

  11. MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy

    one from AWS

  12. BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar

    bit.ly/bellmar-auth0

  13. @bellmar bit.ly/bellmar-auth0 Identity as a Service

  14. @bellmar bit.ly/bellmar-auth0

  15. Built by other teams

  16. In taking over a service: - Defining SLOs - Evaluating

    debt - Studying existing problems and rethinking architecture

  17. EMAILS - validate email - password reset - principal mode

    of communication We do logins not emails!

  18. EMAILS - validate email - password reset - principal mode

    of communication @bellmar bit.ly/bellmar-auth0

  19. X per hour @bellmar bit.ly/bellmar-auth0

  20. @bellmar bit.ly/bellmar-auth0

  21. @bellmar bit.ly/bellmar-auth0

  22. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  23. @bellmar bit.ly/bellmar-auth0

  24. HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar

    bit.ly/bellmar-auth0

  25. LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0

  26. STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU

    THINK IN @bellmar bit.ly/bellmar-auth0

  27. @bellmar bit.ly/bellmar-auth0

  28. @bellmar bit.ly/bellmar-auth0

  29. \ 40% → ✅ 41% → ✅ 42% → ✅

    43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅

  30. VM 50% VM 20% VM 70%

  31. VM 50% VM 20% VM 70% Test all possible states

    to make sure the load balancer does the right thing

  32. 40% → ✅ 41% → ✅ 42% → ✅ 43%

    → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌

  33. Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0

  34. Must always be true: 0 < servers > 10 Goto!

    Party like it’s 1979…

  35. LEAVE YOUR PROBABILITY AT HOME

  36. Sometimes we kill a server, sometimes we create one Literally

    the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0

  37. Sometimes we kill a server, sometimes we create one Literally

    the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!

  38. SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0

  39. Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0

  40. - Several unhealthy servers == Create new - All servers

    healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy

  41. - Several unhealthy servers == Create new - All servers

    healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy

  42. WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0

  43. Servers keep restarting Too many servers Too few servers Healthcheck

    action inconsistency @bellmar bit.ly/bellmar-auth0

  44. Servers keep restarting Too many servers Too few servers Healthcheck

    action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0

  45. Maybe you should turn yourself rather than the puzzle

  46. Anyway… @bellmar bit.ly/bellmar-auth0

  47. x per hour @bellmar bit.ly/bellmar-auth0

  48. One please! @bellmar bit.ly/bellmar-auth0

  49. One please! Sorry no more tokens. Sit in the retry

    queue and come back later @bellmar bit.ly/bellmar-auth0

  50. One please! Sorry no more tokens. Sit in the retry

    queue and come back later @bellmar bit.ly/bellmar-auth0

  51. STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE

    @bellmar bit.ly/bellmar-auth0

  52. Queued → Worker → Sent Has Tokens → No Tokens

    @bellmar bit.ly/bellmar-auth0

  53. Queued Worker Sent @bellmar bit.ly/bellmar-auth0

  54. Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0

  55. WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0

  56. Has Token → Deleted Sent → Deleted Deleted → Sent

    No Token → Sent @bellmar bit.ly/bellmar-auth0

  57. HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0

  58. JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar

    bit.ly/bellmar-auth0

  59. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  60. Email all my users! Password Reset Anomaly Detection Welcome Email

    Validation @bellmar bit.ly/bellmar-auth0

  61. Queued Worker @bellmar bit.ly/bellmar-auth0

  62. GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0

  63. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  64. Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket

  65. LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0

  66. x in [a, b, c] print x “a” “b” “c”

    @bellmar bit.ly/bellmar-auth0

  67. x in [a, b, c] l=append(l, x) l = [

    ] print l @bellmar bit.ly/bellmar-auth0

  68. x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]

    [“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0

  69. x in [a, b, c] l = [ ] [“a”]

    [“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0

  70. A B C then then A B C or or

    Steps States @bellmar bit.ly/bellmar-auth0

  71. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  72. Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0

  73. @bellmar bit.ly/bellmar-auth0

  74. Alice Bob Oh… that’s easy!

  75. Undesirable -vs- Impossible

  76. Queue Publishers

  77. “SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”

    @bellmar bit.ly/bellmar-auth0 WAIT…

  78. 1) Make it look like a state machine 2) Define

    the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0

  79. Things that already look like state machines: @bellmar bit.ly/bellmar-auth0

  80. Things that already look like state machines: - Redux @bellmar

    bit.ly/bellmar-auth0

  81. Things that already look like state machines: - Redux -

    AWS Lambda @bellmar bit.ly/bellmar-auth0

  82. Things that already look like state machines: - Redux -

    AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0

  83. Bit.ly/bellmar-auth0