Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Formal Specifications and Other People's Tech
Search
Marianne Bellotti
September 13, 2019
Technology
0
120
Formal Specifications and Other People's Tech
How do you use formal specification like TLA+ to model real world engineering challenges?
Marianne Bellotti
September 13, 2019
Tweet
Share
More Decks by Marianne Bellotti
See All by Marianne Bellotti
Building Safety Critical Systems
mbellotti
0
140
Killer Robots and Rogue AI
mbellotti
0
9
Five Lies of Modernization
mbellotti
0
14
Interdisciplinary Engineering
mbellotti
0
120
Worst Case Scenario in the Database
mbellotti
0
75
Death of the Trusted Internet
mbellotti
0
110
Debunking Other People's Data Science
mbellotti
0
90
Other Decks in Technology
See All in Technology
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
PHPカンファレンス小田原2024
ysknsid25
3
660
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
120
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
1
200
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
200
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
Microsoft Cloudで開発ライフサイクルを保護する
kkamegawa
0
140
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
1
300
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1023
450k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Rails Girls Zürich Keynote
gr2m
91
13k
Designing the Hi-DPI Web
ddemaree
276
33k
Embracing the Ebb and Flow
colly
79
4.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Building a Modern Day E-commerce SEO Strategy
aleyda
16
6.4k
YesSQL, Process and Tooling at Scale
rocio
163
13k
Being A Developer After 40
akosma
56
580k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Transcript
auth0.com Formal Specification Taming Other People's Tech &
SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0
TLA+ Conf Finding Bugs Without Running or Even Looking at
Code Correctness Proofs of Distributed Systems with Isabelle
WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0
-Inputs -Expected behavior -Legal outputs -Illegal behavior
Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
!! @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk
is about how that still adds a lot of value The more people write specs the faster we all learn
S3 Design Session @bellmar bit.ly/bellmar-auth0
MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy
one from AWS
BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar
bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Identity as a Service
@bellmar bit.ly/bellmar-auth0
Built by other teams
In taking over a service: - Defining SLOs - Evaluating
debt - Studying existing problems and rethinking architecture
EMAILS - validate email - password reset - principal mode
of communication We do logins not emails!
EMAILS - validate email - password reset - principal mode
of communication @bellmar bit.ly/bellmar-auth0
X per hour @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar
bit.ly/bellmar-auth0
LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0
STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU
THINK IN @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
\ 40% → ✅ 41% → ✅ 42% → ✅
43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅
VM 50% VM 20% VM 70%
VM 50% VM 20% VM 70% Test all possible states
to make sure the load balancer does the right thing
40% → ✅ 41% → ✅ 42% → ✅ 43%
→ ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌
Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0
Must always be true: 0 < servers > 10 Goto!
Party like it’s 1979…
LEAVE YOUR PROBABILITY AT HOME
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!
SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0
Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0
Maybe you should turn yourself rather than the puzzle
Anyway… @bellmar bit.ly/bellmar-auth0
x per hour @bellmar bit.ly/bellmar-auth0
One please! @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE
@bellmar bit.ly/bellmar-auth0
Queued → Worker → Sent Has Tokens → No Tokens
@bellmar bit.ly/bellmar-auth0
Queued Worker Sent @bellmar bit.ly/bellmar-auth0
Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0
WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0
Has Token → Deleted Sent → Deleted Deleted → Sent
No Token → Sent @bellmar bit.ly/bellmar-auth0
HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0
JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar
bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Queued Worker @bellmar bit.ly/bellmar-auth0
GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket
LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0
x in [a, b, c] print x “a” “b” “c”
@bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) l = [
] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]
[“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l = [ ] [“a”]
[“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0
A B C then then A B C or or
Steps States @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Alice Bob Oh… that’s easy!
Undesirable -vs- Impossible
Queue Publishers
“SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”
@bellmar bit.ly/bellmar-auth0 WAIT…
1) Make it look like a state machine 2) Define
the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux @bellmar
bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0
Bit.ly/bellmar-auth0