Contracts for building reliable systems

Slide 1

Slide 1 text

Contracts for building robust systems Chris Keathley / @ChrisKeathley / [email protected]

Slide 2

Slide 2 text

Confession

Slide 3

Slide 3 text

I like dynamic languages

Slide 4

Slide 4 text

Contracts for building robust systems Chris Keathley / @ChrisKeathley / [email protected]

Slide 5

Slide 5 text

Chris Keathley / @ChrisKeathley / [email protected] Contracts for building robust systems Correct

Slide 6

Slide 6 text

Correctness: the quality or state of being free from error; accuracy.

Slide 7

Slide 7 text

Robust: able to withstand or overcome adverse conditions.

Slide 8

Slide 8 text

My life Service Service Service Service Service

Slide 9

Slide 9 text

My life Service Service Service Service Service Teams

Slide 10

Slide 10 text

My life Service Service Service Service Service Teams Me

Slide 11

Slide 11 text

Session Types

Slide 12

Slide 12 text

My life Service Service Service Service Service Teams Me

Slide 13

Slide 13 text

Correctness

Slide 14

Slide 14 text

Correctness(t) Correctness over time

Slide 15

Slide 15 text

Change

Slide 16

Slide 16 text

Change Growth Breakage

Slide 17

Slide 17 text

Changes Service Service

Slide 18

Slide 18 text

Changes Service Service Expects users

Slide 19

Slide 19 text

Changes Service Service

Slide 20

Slide 20 text

Changes Service Service User{}

Slide 21

Slide 21 text

Changes Service Service User{}

Slide 22

Slide 22 text

Changes Service Service

Slide 23

Slide 23 text

Changes Service Service Now you can send me Users or Cats

Slide 24

Slide 24 text

Changes Service Service Now you can send me Users or Cats User{}

Slide 25

Slide 25 text

Changes Service Service Now you can send me Users or Cats User{}

Slide 26

Slide 26 text

Changes Service Service

Slide 27

Slide 27 text

Changes Service Service Now you can only send me Cats

Slide 28

Slide 28 text

Changes Service Service Now you can only send me Cats User{}

Slide 29

Slide 29 text

Changes Service Service Now you can only send me Cats User{}

Slide 30

Slide 30 text

Breaking changes require coordination

Slide 31

Slide 31 text

Why does software change?

Slide 32

Slide 32 text

Why does software change? Aesthetics

Slide 33

Slide 33 text

Why does software change? Aesthetics Refactors

Slide 34

Slide 34 text

Refactor?

Slide 35

Slide 35 text

Why does software change? Aesthetics Refactors

Slide 36

Slide 36 text

Why does software change? Aesthetics Technology Refactors

Slide 37

Slide 37 text

Why does software change? Aesthetics Technology Requirements Refactors

Slide 38

Slide 38 text

Why does software change? Aesthetics Technology Requirements Tacitly expects no breaking changes Refactors

Slide 39

Slide 39 text

We want to ensure that we didn’t break the api while allowing for growth

Slide 40

Slide 40 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 41

Slide 41 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 42

Slide 42 text

function

Slide 43

Slide 43 text

function Input

Slide 44

Slide 44 text

function Input Output

Slide 45

Slide 45 text

function Input Output Side-effects

Slide 46

Slide 46 text

function Input Output Side-effects Enforce the callers are correct

Slide 47

Slide 47 text

function Input Output Side-effects Enforce the callers are correct Ensure the function is correct

Slide 48

Slide 48 text

function Input Output Side-effects

Slide 49

Slide 49 text

function Input Output Side-effects Pre-conditions Post-conditions

Slide 50

Slide 50 text

rgb_to_hex

Slide 51

Slide 51 text

rgb_to_hex(0, 10, 32) => “#000A20”

Slide 52

Slide 52 text

rgb_to_hex ::

Slide 53

Slide 53 text

rgb_to_hex :: Integer -> Integer -> Integer

Slide 54

Slide 54 text

rgb_to_hex :: Integer -> Integer -> Integer -> String

Slide 55

Slide 55 text

rgb_to_hex :: Integer -> Integer -> Integer -> String 0 <= x <= 255

Slide 56

Slide 56 text

rgb_to_hex :: Integer -> Integer -> Integer -> String 0 <= x <= 255 Starts with a ‘#’

Slide 57

Slide 57 text

rgb_to_hex :: Integer -> Integer -> Integer -> String 0 <= x <= 255 Starts with a ‘#’ How do we type this?

Slide 58

Slide 58 text

Dependent Types

Slide 59

Slide 59 text

rgb_to_hex :: Integer -> Integer -> Integer -> String 0 <= x <= 255 Starts with a ‘#’ How do we type this?

Slide 60

Slide 60 text

rgb_to_hex :: Integer -> Integer -> Integer -> String 0 <= x <= 255 Starts with a ‘#’ How do we type this? (today)

Slide 61

Slide 61 text

Design by Contract github.com/JDUnity/ex_contract

Slide 62

Slide 62 text

defmodule Contractual do use ExContract def rgb_to_hex(r, g, b) do #… end end

Slide 63

Slide 63 text

defmodule Contractual do use ExContract requires is_integer(r) and 0 <= r and r <= 255 requires is_integer(g) and 0 <= g and g <= 255 requires is_integer(b) and 0 <= b and b <= 255 def rgb_to_hex(r, g, b) do #… end end

Slide 64

Slide 64 text

defmodule Contractual do use ExContract requires is_integer(r) and 0 <= r and r <= 255 requires is_integer(g) and 0 <= g and g <= 255 requires is_integer(b) and 0 <= b and b <= 255 ensures is_binary(result) ensures String.starts_with?(result, "#") def rgb_to_hex(r, g, b) do #… end end

Slide 65

Slide 65 text

defmodule Contractual do use Vow requires is_integer(r) and 0 <= r and r <= 255 requires is_integer(g) and 0 <= g and g <= 255 requires is_integer(b) and 0 <= b and b <= 255 ensures is_binary(result) ensures String.starts_with?(result, "#") def rgb_to_hex(r, g, b) do #… end end This is your invariant

Slide 66

Slide 66 text

What happens when we get an error? rgb_to_hex(-10, 300, 0.5)

Slide 67

Slide 67 text

What happens when we get an error? rgb_to_hex(-10, 300, 0.5) ** (ExContract.RequiresException) Pre-condition ["is_integer(r) and 0 <= r and r <= 255"] violated. Invalid implementation of caller to function [rgb_to_hex/3]

Slide 68

Slide 68 text

Don’t we already have guard clauses?

Slide 69

Slide 69 text

We can also check side-effects requires !check_in_db?(user), "user should not be stored" ensures check_in_db?(user), "user should be stored" def store_user(user) do # ... end

Slide 70

Slide 70 text

We can also check side-effects requires !check_in_db?(user), "user should not be stored" ensures check_in_db?(user), "user should be stored" def store_user(user) do # ... end Shouldn’t be in the db afterwords it should

Slide 71

Slide 71 text

Contracts are powerful

Slide 72

Slide 72 text

Isn’t this really slow?

Slide 73

Slide 73 text

Yes!

Slide 74

Slide 74 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 75

Slide 75 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 76

Slide 76 text

Slide 77

Slide 77 text

requires is_integer(r) and 0 <= r and r <= 255 requires is_integer(g) and 0 <= g and g <= 255 requires is_integer(b) and 0 <= b and b <= 255 ensures is_binary(result) ensures String.starts_with?(result, "#")

Slide 78

Slide 78 text

is_integer(r) and 0 <= r and r <= 255 is_integer(g) and 0 <= g and g <= 255 is_integer(b) and 0 <= b and b <= 255 is_binary(result) String.starts_with?(result, "#")

Slide 79

Slide 79 text

is_integer(r) and 0 <= r and r <= 255 is_integer(g) and 0 <= g and g <= 255 is_integer(b) and 0 <= b and b <= 255 is_binary(result) String.starts_with?(result, "#") Is the data correct?

Slide 80

Slide 80 text

Norm

Slide 81

Slide 81 text

is_integer(r) && 0 <= r and r <= 255 is_integer(g) && 0 <= g and g <= 255 is_integer(b) && 0 <= b and b <= 255 is_binary(result) && String.starts_with?(result, "#") Norm

Slide 82

Slide 82 text

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) is_binary(result) && String.starts_with?(result, "#") Norm

Slide 83

Slide 83 text

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#"))) Norm

Slide 84

Slide 84 text

Norm conform!(123, rgb()) 123 def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#")))

Slide 85

Slide 85 text

Norm conform!(123, rgb()) 123 conform!(-10, rgb()) ** (Norm.MismatchError) Could not conform input: val: -10 fails: &(0 <= &1 and &1 <= 255) (norm) lib/norm.ex:385: Norm.conform!/2 def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#")))

Slide 86

Slide 86 text

Slide 87

Slide 87 text

defmodule Contractual do use ExContract def rgb, do: spec(is_integer() and &(0 <= &1 and &1 <= 255)) def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#"))) requires is_integer(r) and 0 <= r and r <= 255 requires is_integer(g) and 0 <= g and g <= 255 requires is_integer(b) and 0 <= b and b <= 255 ensures is_binary(result) ensures String.starts_with?(result, "#") def rgb_to_hex(r, g, b) do #… end end

Slide 88

Slide 88 text

defmodule Contractual do use ExContract def rgb, do: spec(is_integer() and &(0 <= &1 and &1 <= 255)) def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#"))) requires valid?(r, rgb()) and valid?(g, rgb()) and valid?(b, rgb()) ensures valid?(result, hex()) def rgb_to_hex(r, g, b) do #… end end

Slide 89

Slide 89 text

Norm can match on atoms and tuples

Slide 90

Slide 90 text

Conforming atoms and tuples :atom = conform!(:atom, :atom) {1, "hello"} = conform!( {1, "hello"}, {spec(is_integer()), spec(is_binary())}) conform!({1, 2}, {:one, :two}) ** (Norm.MismatchError) val: 1 in: 0 fails: is not an atom. val: 2 in: 1 fails: is not an atom.

Slide 91

Slide 91 text

Conforming atoms and tuples {:ok, spec(is_binary())}

Slide 92

Slide 92 text

Conforming atoms and tuples result_spec = one_of([ {:ok, spec(is_binary())}, {:error, spec(fn _ -> true end)}, ])

Slide 93

Slide 93 text

Conforming atoms and tuples result_spec = one_of([ {:ok, spec(is_binary())}, {:error, spec(fn _ -> true end)}, ]) {:ok, "alice"} = conform!(User.get_name(123), result_spec) {:error, "user does not exist"} = conform!(User.get_name(-42), result_spec)

Slide 94

Slide 94 text

We can compose specs into schema’s

Slide 95

Slide 95 text

Norm supports Schema’s user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) })

Slide 96

Slide 96 text

Slide 97

Slide 97 text

Norm supports Schema’s user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) }) input = %{user: %{name: "chris", age: 30, email: “[email protected]"} conform!(input, user_schema) => %{user: %{name: "chris", age: 30}}

Slide 98

Slide 98 text

Slide 99

Slide 99 text

Norm supports optionality user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) })

Slide 100

Slide 100 text

Norm supports optionality user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) }) How do you mark a key as optional?

Slide 101

Slide 101 text

Optionality is deﬁned by the callsite. Not the data structure.

Slide 102

Slide 102 text

Optionality plug plug plug assigns: %{}

Slide 103

Slide 103 text

Optionality assigns: %{} plug plug plug

Slide 104

Slide 104 text

Optionality assigns: %{} plug plug plug Assigns a user id

Slide 105

Slide 105 text

Optionality assigns: %{user_id: 42} plug plug plug Assigns a user id

Slide 106

Slide 106 text

Optionality assigns: %{user_id: 42} plug plug plug

Slide 107

Slide 107 text

Optionality assigns: %{user_id: 42} plug plug plug Requires the user id

Slide 108

Slide 108 text

Norm supports optionality user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) })

Slide 109

Slide 109 text

Norm supports optionality user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) }) just_age = selection(user_schema, [user: [:age]])

Slide 110

Slide 110 text

Norm supports optionality user_schema = schema(%{ user: schema(%{ name: spec(is_binary()), age: spec(is_integer() and &(&1 > 0)) }) }) just_age = selection(user_schema, [user: [:age]]) conform!(%{user: %{name: "chris", age: 31}}, just_age) => %{user: %{age: 31}}

Slide 111

Slide 111 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 112

Slide 112 text

Lets talk about… Contracts Data speciﬁcation Testing strategies

Slide 113

Slide 113 text

test "rgb works correctly" do end

Slide 114

Slide 114 text

test "rgb works correctly" do assert rgb_to_hex(0, 10, 32) end

Slide 115

Slide 115 text

test "rgb works correctly" do assert rgb_to_hex(0, 10, 32) assert rgb_to_hex(nil, [:cat], "hey!") end

Slide 116

Slide 116 text

test "rgb works correctly" do assert rgb_to_hex(0, 10, 32) assert rgb_to_hex(nil, [:cat], "hey!") assert rgb_to_hex(-10, 300, 0.5) end

Slide 117

Slide 117 text

test "rgb works correctly" do assert rgb_to_hex(0, 10, 32) assert rgb_to_hex(nil, [:cat], "hey!") assert rgb_to_hex(-10, 300, 0.5) end Known Knowns

Slide 118

Slide 118 text

“Writing unit tests is a waste of time” - John Hughes

Slide 119

Slide 119 text

“Writing unit tests is a waste of time” - John Hughes - Chris Keathley

Slide 120

Slide 120 text

We already know what kind of data we want def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255))

Slide 121

Slide 121 text

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255))

Slide 122

Slide 122 text

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) rgb_gen = Norm.gen(rgb()) Lets generate it instead

Slide 123

Slide 123 text

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255)) rgb_gen = Norm.gen(rgb()) rgb_gen |> Enum.take(5) [124, 4, 172, 217, 162]

Slide 124

Slide 124 text

test "but good this time" do check all end end Generates values

Slide 125

Slide 125 text

test "but good this time" do check all end end

Slide 126

Slide 126 text

test "but good this time" do check all r <- gen(rgb()), end end

Slide 127

Slide 127 text

test "but good this time" do check all r <- gen(rgb()), g <- gen(rgb()), end end

Slide 128

Slide 128 text

test "but good this time" do check all r <- gen(rgb()), g <- gen(rgb()), b <- gen(rgb()) do end end

Slide 129

Slide 129 text

test "but good this time" do check all r <- gen(rgb()), g <- gen(rgb()), b <- gen(rgb()) do end end What test do we write?

Slide 130

Slide 130 text

Slide 131

Slide 131 text

test "but good this time" do check all r <- gen(rgb()), g <- gen(rgb()), b <- gen(rgb()) do end end

Slide 132

Slide 132 text

test "but good this time" do check all r <- gen(rgb()), g <- gen(rgb()), b <- gen(rgb()) do assert rgb_to_hex(r, g, b) end end

Slide 133

Slide 133 text

So now what?

Slide 134

Slide 134 text

“Great artists steal” Ada Eiffel Haskell Python Clojure

Slide 135

Slide 135 text

Links and references https://en.wikipedia.org/wiki/Design_by_contract https://www.clojure.org/about/spec https://www.cs.tufts.edu/~nr/cs257/archive/john-hughes/quick.pdf https://people.seas.harvard.edu/~chong/pubs/icfp17-whip.pdf https://www.youtube.com/watch?v=ROor6_NGIWU https://arxiv.org/abs/1607.05443

Slide 136

Slide 136 text

Special Thanks! * Jeff Utter * Jason Stewart * Lance Halvorsen * Greg Mefford * Jeff Weiss * The Outlaws

Slide 137

Slide 137 text

Thanks! Chris Keathley / @ChrisKeathley / [email protected]