Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Formal Specifications and Other People's Tech
Search
Marianne Bellotti
September 13, 2019
Technology
0
140
Formal Specifications and Other People's Tech
How do you use formal specification like TLA+ to model real world engineering challenges?
Marianne Bellotti
September 13, 2019
Tweet
Share
More Decks by Marianne Bellotti
See All by Marianne Bellotti
Building Safety Critical Systems
mbellotti
0
170
Killer Robots and Rogue AI
mbellotti
0
12
Five Lies of Modernization
mbellotti
0
18
Interdisciplinary Engineering
mbellotti
0
150
Worst Case Scenario in the Database
mbellotti
0
89
Death of the Trusted Internet
mbellotti
0
130
Debunking Other People's Data Science
mbellotti
0
110
Other Decks in Technology
See All in Technology
5min GuardDuty Extended Threat Detection EKS
takakuni
0
140
MySQL5.6から8.4へ 戦いの記録
kyoshidaxx
1
210
BigQuery Remote FunctionでLooker Studioをインタラクティブ化
cuebic9bic
3
290
Fabric + Databricks 2025.6 の最新情報ピックアップ
ryomaru0825
1
140
_第3回__AIxIoTビジネス共創ラボ紹介資料_20250617.pdf
iotcomjpadmin
0
150
Tech-Verse 2025 Keynote
lycorptech_jp
PRO
0
110
生成AI時代の開発組織・技術・プロセス 〜 ログラスの挑戦と考察 〜
itohiro73
0
150
製造業からパッケージ製品まで、あらゆる領域をカバー!生成AIを利用したテストシナリオ生成 / 20250627 Suguru Ishii
shift_evolve
PRO
1
140
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
stefafafan
0
120
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
270
Observability в PHP без боли. Олег Мифле, тимлид Altenar
lamodatech
0
350
PHP開発者のためのSOLID原則再入門 #phpcon / PHP Conference Japan 2025
shogogg
4
730
Featured
See All Featured
Visualization
eitanlees
146
16k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
For a Future-Friendly Web
brad_frost
179
9.8k
The Cult of Friendly URLs
andyhume
79
6.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3k
The World Runs on Bad Software
bkeepers
PRO
69
11k
A better future with KSS
kneath
239
17k
Statistics for Hackers
jakevdp
799
220k
How STYLIGHT went responsive
nonsquared
100
5.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Transcript
auth0.com Formal Specification Taming Other People's Tech &
SPECS! BY BEGINNERS FOR BEGINNERS @bellmar bit.ly/bellmar-auth0
TLA+ Conf Finding Bugs Without Running or Even Looking at
Code Correctness Proofs of Distributed Systems with Isabelle
WHAT IS FORMAL SPECIFICATION? @bellmar bit.ly/bellmar-auth0
-Inputs -Expected behavior -Legal outputs -Illegal behavior
Tell me the future, wise computer @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
!! @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Mostly I write bad specs, and this talk
is about how that still adds a lot of value The more people write specs the faster we all learn
S3 Design Session @bellmar bit.ly/bellmar-auth0
MOST ENGINEERS WILL NEVER BUILD A MESSAGE QUEUE You’ll buy
one from AWS
BUT SPECIFICATION CAN BE APPLIED TO MANY DIFFERENT THINGS! @bellmar
bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0 Identity as a Service
@bellmar bit.ly/bellmar-auth0
Built by other teams
In taking over a service: - Defining SLOs - Evaluating
debt - Studying existing problems and rethinking architecture
EMAILS - validate email - password reset - principal mode
of communication We do logins not emails!
EMAILS - validate email - password reset - principal mode
of communication @bellmar bit.ly/bellmar-auth0
X per hour @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
HOW DO WE KNOW IF THIS CHANGE IS SAFE? @bellmar
bit.ly/bellmar-auth0
LET’S WRITE A SPEC! @bellmar bit.ly/bellmar-auth0
STEPS WITH SPECIFICATIONS YOU THINK IN STATES WITH ALGORITHMS YOU
THINK IN @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
\ 40% → ✅ 41% → ✅ 42% → ✅
43% → ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅
VM 50% VM 20% VM 70%
VM 50% VM 20% VM 70% Test all possible states
to make sure the load balancer does the right thing
40% → ✅ 41% → ✅ 42% → ✅ 43%
→ ✅ 44% → ✅ 45% → ✅ 46% → ✅ 47% → ✅ 48% → ✅ 49% → ✅ 50% → ✅ 40% → ✅ 50% → ✅ 60% → ✅ 70% → ❌ ✅ ❌
Normal Idle Unhealthy @bellmar bit.ly/bellmar-auth0
Must always be true: 0 < servers > 10 Goto!
Party like it’s 1979…
LEAVE YOUR PROBABILITY AT HOME
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers @bellmar bit.ly/bellmar-auth0
Sometimes we kill a server, sometimes we create one Literally
the one time we just keep killing servers ARGH! BUT WHY? THAT WILL NEVER HAPPEN!!
SYSTEM NOT SYSTEM LGTM SAFETY @bellmar bit.ly/bellmar-auth0
Normal Idle Unhealthy Health Check @bellmar bit.ly/bellmar-auth0
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
- Several unhealthy servers == Create new - All servers
healthy and more than 3 == Shut one down - Else assume we kill and refresh unhealthy
WHAT STATES SHOULD BE IMPOSSIBLE? (NOT UNDESIRABLE?) @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency @bellmar bit.ly/bellmar-auth0
Servers keep restarting Too many servers Too few servers Healthcheck
action inconsistency Undesirable but not impossible states @bellmar bit.ly/bellmar-auth0
Maybe you should turn yourself rather than the puzzle
Anyway… @bellmar bit.ly/bellmar-auth0
x per hour @bellmar bit.ly/bellmar-auth0
One please! @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
One please! Sorry no more tokens. Sit in the retry
queue and come back later @bellmar bit.ly/bellmar-auth0
STATE HOW DO WE MAKE THIS LOOK LIKE A MACHINE
@bellmar bit.ly/bellmar-auth0
Queued → Worker → Sent Has Tokens → No Tokens
@bellmar bit.ly/bellmar-auth0
Queued Worker Sent @bellmar bit.ly/bellmar-auth0
Queued Worker Sent Dropped @bellmar bit.ly/bellmar-auth0
WHAT’S STATES SHOULD BE IMPOSSIBLE? @bellmar bit.ly/bellmar-auth0
Has Token → Deleted Sent → Deleted Deleted → Sent
No Token → Sent @bellmar bit.ly/bellmar-auth0
HOW DOES OUR IMPLEMENTATION PREVENT THESE STATES? @bellmar bit.ly/bellmar-auth0
JUST TRYING TO BUILD THE MODEL OFTEN REVEALS BUGS @bellmar
bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Email all my users! Password Reset Anomaly Detection Welcome Email
Validation @bellmar bit.ly/bellmar-auth0
Queued Worker @bellmar bit.ly/bellmar-auth0
GREAT, SO WHAT SHOULD OUR MODEL LOOK LIKE? @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant @bellmar bit.ly/bellmar-auth0 For each tenant For each bucket
LOOPS WILL F— YOU UP LOOPS @bellmar bit.ly/bellmar-auth0
x in [a, b, c] print x “a” “b” “c”
@bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) l = [
] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l=append(l, x) [“a”] [“a”, “b”]
[“a”, “b”, “c”] l = [ ] print l @bellmar bit.ly/bellmar-auth0
x in [a, b, c] l = [ ] [“a”]
[“b”] [“c”] l=append(l, x) print l @bellmar bit.ly/bellmar-auth0
A B C then then A B C or or
Steps States @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
Tenant Tenant Tenant @bellmar bit.ly/bellmar-auth0
@bellmar bit.ly/bellmar-auth0
Alice Bob Oh… that’s easy!
Undesirable -vs- Impossible
Queue Publishers
“SHOULD THE PUBLISHERS BE PUTTING THINGS DIRECTLY IN THE QUEUE?”
@bellmar bit.ly/bellmar-auth0 WAIT…
1) Make it look like a state machine 2) Define
the impossible states 3) Model what makes them impossible To Summarize: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux @bellmar
bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda @bellmar bit.ly/bellmar-auth0
Things that already look like state machines: - Redux -
AWS Lambda - Workflow Orchestration (Airflow, Conductor, Luigi) @bellmar bit.ly/bellmar-auth0
Bit.ly/bellmar-auth0