Why You Lot Should Role Modeling [With Tla+/Pluscal]
I of late gave a 2 hateful solar daytime seminar on "debugging your designs amongst TLA+/PlusCal" at Dell. So I wanted to write some of the motivation for modeling too debugging your models spell this is withal fresh inwards my mind.
No, non that form of modeling! Actually the naming clash is non accidental after all: fashion designers demand models to test/showcase their designs.
You demand modeling because:
Modeling shows yous how sloppy your "design" is. You shout upward yous got the blueprint right, but for a complex service worth its common salt yous almost ever larn it incorrect (more on this below). You won't discovery what yous got incorrect unless yous model your blueprint too validate it. And yous desire to discovery that out early on, without the sunken investment of correctly implementing your flawed design. Otherwise, fifty-fifty after Jepsen shows yous that yous screwed up, yous are already besides much invested into this flawed design, too yous seek to patch it, too yous destination upward amongst a ho-hum too bloated system.
In this process, yous are real probable to brand an supposition that volition seize amongst teeth yous back, such equally i hop is faster than 2 hops, nil hops is faster than i hop, too the network is reliable. What yous assumed was an atomic block of execution volition live violated because some other procedure volition execute concurrently too alter the arrangement reason inwards a way yous didn't anticipate. And don't fifty-fifty larn me started on faults, they are inwards a league of their own, they volition collude amongst your computer program actions to screw yous up.
Once yous abstract away the clutter, come upward up amongst a precise model inwards Pluscal, too validate it amongst exhaustive model-checking, yous tin dismiss focus on the essence of the problem, too encounter choice ways to implement it. And through this evolution procedure where yous refine/implement the design, the PlusCal model volition help a lot for communicating the blueprint amongst other engineers, too banking concern lucifer which implementations would operate for each subsystem.
Sigh. Did yous read the higher upward carefully? Everything is a distributed system, too at that spot are many corner cases. A sloppy pseudocode is non going to cutting it. And don't trust your deduction abilities for proving that each activity preserves the security atmospheric condition yous identify. That plant for uncomplicated toy examples, but for complicated examples yous demand to create a lot of extra mental inferencing/linking of concepts/being creative which is real error-prone.
Consider the hygienic philosophers illustration I discussed earlier. Your invariant volition utter almost beingness inwards critical section, but the actions utter almost ... forks ... per edges ... over a dynamic priority graph. So doing that mental mapping would live real hard. Instead TLA+/PlusCal model checker gets yous covered amongst exhaustive checking on the breadth showtime traversal of all possible permutations of activity scheduling too demonstrate yous if at that spot is whatsoever possible execution (including the fault actions yous model) that tin dismiss violate your invariants.
This is why I thence happily adopted TLA+/PlusCal for my distributed systems class. Even for sophisticated algorithms, I tin dismiss refer the students to the TLA+/PlusCal model to practise too play amongst the algorithm, thence they tin dismiss internalize what is going on.
Drop me a message if yous are interested inwards having me over for a training/talk!
1) In add-on to workflow modeling, business logic modeling, TLA+/PlusCal has also been used for data modeling. Are at that spot whatsoever other uses? If yous lead maintain interesting usage cases, delight permit me know equally I am curious.
2) Actually, I am aware of some other usage instance for PlusCal model-checking, but it seems to live by too large for toy examples thence far. You define actors/operators that tin dismiss human activity at whatsoever order, too yous challenge the model checker too claim that concurrent performance of those actors/operators cannot ever satisfy a status that yous similar to happen. And the model checker, beingness the jerk it is, responds amongst a line showing that it is possible, too yous adopt this equally the solution. The conk hard puzzle is an illustration of this. This approach is useful for scheduling, mayhap fifty-fifty cluster project scheduling nether concerns too fifty-fifty anticipating some statical failures too withal hitting the deadline. But I am non aware of whatsoever real-world usage of this. Is this used inwards practice?
3) Is at that spot a bad fourth dimension for modeling? When should yous non model?
Sometimes yous may demand to become bottom upward to figure out the domain/problems first. After yous lead maintain an thought of the domain, thence yous tin dismiss start to model too become exceed down. I shout upward it would non brand feel to live opinionated too making modeling calls, before yous are informed almost the domain too issues. I shout upward modeling is only thinking made to a greater extent than rigorous, too yous should larn the ball rolling on the thinking/understanding purpose a chip showtime before attempting to model.
You demand modeling
No, non that form of modeling! Actually the naming clash is non accidental after all: fashion designers demand models to test/showcase their designs.
You demand modeling because:
- Failing to computer program is planning to fail
- Everything is a distributed system
- The corner cases ... they are thence many
- Do it for the evolution process
- Being smart does non scale
Failing to computer program is planning to fail
This is from the paper, "Use of formal methods at Amazon Web Services, 2014"."Before launching whatsoever complex service, nosotros demand to accomplish extremely high confidence that the marrow of the arrangement is correct. We lead maintain constitute that the measure verification techniques inwards manufacture (deep blueprint reviews, code reviews, static code analysis, stress testing, fault-injection testing, etc.) are necessary but non sufficient.
Human fallibility agency that some of the to a greater extent than subtle, unsafe bugs plough out to live errors inwards design; the code faithfully implements the intended design, but the blueprint fails to correctly grip a exceptional ‘rare’ scenario. We lead maintain constitute that testing the code is inadequate equally a method to discovery subtle errors inwards design."
Modeling shows yous how sloppy your "design" is. You shout upward yous got the blueprint right, but for a complex service worth its common salt yous almost ever larn it incorrect (more on this below). You won't discovery what yous got incorrect unless yous model your blueprint too validate it. And yous desire to discovery that out early on, without the sunken investment of correctly implementing your flawed design. Otherwise, fifty-fifty after Jepsen shows yous that yous screwed up, yous are already besides much invested into this flawed design, too yous seek to patch it, too yous destination upward amongst a ho-hum too bloated system.
Everything is a distributed system
There's only no getting some it: You're edifice a distributed system.In this process, yous are real probable to brand an supposition that volition seize amongst teeth yous back, such equally i hop is faster than 2 hops, nil hops is faster than i hop, too the network is reliable. What yous assumed was an atomic block of execution volition live violated because some other procedure volition execute concurrently too alter the arrangement reason inwards a way yous didn't anticipate. And don't fifty-fifty larn me started on faults, they are inwards a league of their own, they volition collude amongst your computer program actions to screw yous up.
The corner cases, they are thence many
In the 2004, "Consensus on Transaction Commit" paper, Lamport too Gray mentioned that they could non discovery a right three-phase commit protocol inwards database textbooks/papers because each i fails to concern human relationship for a corner case."Three-Phase Commit protocols ... lead maintain been proposed, too a few lead maintain been implemented [3, 4, 19]. They lead maintain commonly attempted to “fix” the Two-Phase Commit protocol yesteryear choosing some other TM if the showtime TM fails. However, nosotros know of none that provides a consummate algorithm proven to satisfy a clearly stated correctness condition. For example, the give-and-take of non-blocking commit inwards the classic text of Bernstein, Hadzilacos, too Goodman [3] fails to explicate what a procedure should create if it receives messages from 2 dissimilar processes, both claiming to live the electrical flow TM. Guaranteeing that this province of affairs cannot arise is a work that is equally hard equally implementing a transaction commit protocol."
Do it for the evolution process
Modeling is practiced for achieving clarity of thinking too communication. Lamport used TLA+ without a model checker from 1990s to 2010. Even without the model checker, he withal constitute value inwards modeling. It made him blast downwards the specifications too communicate them amongst others precisely. When yous write things downwards precisely, it enables your encephalon to movement on too create to a greater extent than amongst it. Clarity begets to a greater extent than clarity. Focus begets to a greater extent than focus.Once yous abstract away the clutter, come upward up amongst a precise model inwards Pluscal, too validate it amongst exhaustive model-checking, yous tin dismiss focus on the essence of the problem, too encounter choice ways to implement it. And through this evolution procedure where yous refine/implement the design, the PlusCal model volition help a lot for communicating the blueprint amongst other engineers, too banking concern lucifer which implementations would operate for each subsystem.
Being smart does non scale; exhaustive model checking comes to the rescue
After yous larn the blueprint downwards inwards pseudocode (but non inwards TLA+ or PlusCal), couldn't that operate for invariant-based design? Can't yous only banking concern lucifer each activity inwards your pseudocode to encounter if it preserves your safety/invariant conditions, too live done amongst this? There is no demand to model amongst TLA+/PlusCal too model-check, right?Sigh. Did yous read the higher upward carefully? Everything is a distributed system, too at that spot are many corner cases. A sloppy pseudocode is non going to cutting it. And don't trust your deduction abilities for proving that each activity preserves the security atmospheric condition yous identify. That plant for uncomplicated toy examples, but for complicated examples yous demand to create a lot of extra mental inferencing/linking of concepts/being creative which is real error-prone.
Consider the hygienic philosophers illustration I discussed earlier. Your invariant volition utter almost beingness inwards critical section, but the actions utter almost ... forks ... per edges ... over a dynamic priority graph. So doing that mental mapping would live real hard. Instead TLA+/PlusCal model checker gets yous covered amongst exhaustive checking on the breadth showtime traversal of all possible permutations of activity scheduling too demonstrate yous if at that spot is whatsoever possible execution (including the fault actions yous model) that tin dismiss violate your invariants.
This is why I thence happily adopted TLA+/PlusCal for my distributed systems class. Even for sophisticated algorithms, I tin dismiss refer the students to the TLA+/PlusCal model to practise too play amongst the algorithm, thence they tin dismiss internalize what is going on.
Conclusion
This already got long. So inwards a afterwards post, I volition write to a greater extent than almost the modeling/abstracting process, the mathematical/invariant-based thinking, too almost some shortcomings of modeling.Drop me a message if yous are interested inwards having me over for a training/talk!
MAD questions
This department is hither because of my New Year's commitment.1) In add-on to workflow modeling, business logic modeling, TLA+/PlusCal has also been used for data modeling. Are at that spot whatsoever other uses? If yous lead maintain interesting usage cases, delight permit me know equally I am curious.
2) Actually, I am aware of some other usage instance for PlusCal model-checking, but it seems to live by too large for toy examples thence far. You define actors/operators that tin dismiss human activity at whatsoever order, too yous challenge the model checker too claim that concurrent performance of those actors/operators cannot ever satisfy a status that yous similar to happen. And the model checker, beingness the jerk it is, responds amongst a line showing that it is possible, too yous adopt this equally the solution. The conk hard puzzle is an illustration of this. This approach is useful for scheduling, mayhap fifty-fifty cluster project scheduling nether concerns too fifty-fifty anticipating some statical failures too withal hitting the deadline. But I am non aware of whatsoever real-world usage of this. Is this used inwards practice?
3) Is at that spot a bad fourth dimension for modeling? When should yous non model?
Sometimes yous may demand to become bottom upward to figure out the domain/problems first. After yous lead maintain an thought of the domain, thence yous tin dismiss start to model too become exceed down. I shout upward it would non brand feel to live opinionated too making modeling calls, before yous are informed almost the domain too issues. I shout upward modeling is only thinking made to a greater extent than rigorous, too yous should larn the ball rolling on the thinking/understanding purpose a chip showtime before attempting to model.
0 Response to "Why You Lot Should Role Modeling [With Tla+/Pluscal]"
Post a Comment