Validating System Executions with the TLA+ Tools Markus A Kuppe, Microsoft

00:00

so yeah welcome I'm going to talk about

00:02

validating system executions with TLA

00:05

plus and when I say I it's a group of

00:08

people at inria in various entities of

00:13

Microsoft and the real title of my talk

00:15

is obviously a homework assignment an

00:18

answer to an homework assignment by our

00:20

keynote speaker this morning how do we

00:23

close the spect to code Gap uh in the

00:26

past I guess I've been one of the people

00:27

who has been a bit dismissive of this

00:29

question question and but then I

00:31

realized yeah uh we leave a lot of

00:33

people sort of out there who want to do

00:37

t plus but for which we don't have a

00:38

good answer so the answer is well pretty

00:43

simple pretty straightforward we have a

00:45

distributed system and I will primarily

00:47

talk about distributed systems

00:49

here all of your notes are logging the

00:52

local events anyway right each note

00:54

maintains a loog file it's get gets

00:56

written somewhere to local storage fine

00:58

and if there's an incident in production

01:00

or then you look at those lock files

01:02

anyway so in testing what we do is let's

01:05

just collect these lock files and

01:08

combine them into one single Global lock

01:11

now by some time stamp by some clock so

01:14

that the causal order is maintained um

01:17

in the log

01:18

file and then in t+ the answer to

01:22

everything is write another

01:23

specification we have a trace

01:26

specification uh called Trace that reads

01:30

the loog file and creates the set of

01:33

behaviors T that conform to what you see

01:36

in the loog file so naively you might

01:38

think there's just a single behavior in

01:41

t this was just a single execution of

01:43

your system but perhaps you weren't able

01:46

to collect all the information of your

01:49

distributed system so you had sort of

01:51

holes in your loog file and you had to

01:53

guess and then you end up with more than

01:55

one behavior in T and the validation

01:59

part then is well you have your

02:01

beautiful handwritten specification

02:04

perhaps reverse engineered from the code

02:06

but you compare that its set of

02:09

behaviors to the set of behaviors of uh

02:12

trace and if the intersection is

02:14

nonempty well then luckily this Behavior

02:17

this execution was accepted by our high

02:20

level specification yeah so you want to

02:23

want to be in the intersection

02:25

part um this idea isn't new there was

02:28

this prior work actually goes back more

02:31

than 20 years uh when a group around

02:34

Lamport used t+ and then new TLC to

02:40

verify um a cach coherence protocol and

02:43

they did two things a they took

02:45

behaviors coming out of TLC and replayed

02:48

those behaviors in a hardware simulator

02:51

yeah they were doing RTL design and I

02:53

have no idea what what that actually

02:55

means but they were able to replay those

02:57

behaviors in the RTL simulator

03:00

and simultaneously they were also

03:02

extracting other behaviors or other

03:04

executions coming out of this Hardware

03:06

simulator and valid validated those

03:09

against the t plus specification in

03:11

other words Trace

03:13

validation except perhaps that they did

03:15

this in a concurrence system not a

03:16

distributed one and the tooling the t

03:19

plus tooling was pretty custom tailored

03:20

to this particular effort in 2018 Ron

03:25

presler wrote this beautiful little note

03:28

about this technique and General yeah

03:30

how can you relate um implementation

03:33

level traces to t plus specifications

03:36

which I believe is fair to say spark

03:38

these two papers here and extreme

03:40

modeling practice out of mongodb by

03:43

Jesse Davis at all and Jordan Halterman

03:46

who independently applied it in um in a

03:49

different system which is now product of

03:52

Intel I believe and Jesse and all they

03:55

were a little bit less enthusiastic

03:57

about Trace validation Jordan Hal I

03:59

think was a bit more

04:01

positive they had experience with two

04:04

systems we now in this work here have

04:06

experience with seven additional

04:09

systems the first five actually systems

04:12

where we did essentially spec driven

04:14

development using Trace validation

04:17

several years ago I applied Trace

04:19

validation to the model uh multi

04:21

producer multi consumer problem you have

04:23

a set of producers a set of consumers in

04:26

the middle there's a fixed size que they

04:28

communicate through the Que if the Q is

04:30

full producers have to wait if the uh Q

04:33

is empty consumers have to wait and if

04:35

you don't get your synchronization right

04:38

specifically if you only use one single

04:40

mutex or then your system and a some

04:43

some configuration can can deadlock and

04:46

uh a specification shows that you have

04:48

to use two mutexes and Trace validation

04:53

instantaneously um found the

04:56

discrepancy well that's a concurrence

04:58

system more recently I applied it to a

05:01

distribution distributed termination

05:03

detection algorithm ewd 998 wrot the

05:06

spec first and then the implementation

05:09

and even though I was intimately

05:11

familiar with the specification as a

05:13

matter of fact this is my running

05:15

example in t plus workshops I still

05:17

screwed up in the implementation yeah

05:20

this token and you will later see what

05:22

this token actually does it kept going

05:24

around the ring long after the initiated

05:27

attack the

05:28

termination and that was found with

05:30

Trace validation and then I thought Ah

05:32

that's an easy fix so I came up with an

05:34

easy quick fix which Trace validation

05:36

showed was wrong so I had to do it

05:39

again and at inria they

05:42

implemented um a specification by

05:44

Lamport of 2pc two-phase commit and the

05:47

implementation had a bug that it used a

05:50

list data structure instead of a set

05:52

data structure so now if a resource

05:55

manager would time out while the

05:57

transaction manager is waiting for all

05:59

the resource managers to answer and then

06:01

the resource manager would subsequently

06:03

re signal that it's ready it would be

06:06

counted twice yeah and then the

06:07

transaction manager could just declare

06:10

Global

06:11

commit in a key Value Store

06:14

specification due to Murad here also

06:17

implemented by in edena they had a bug

06:22

in how they initially initialized the

06:24

local snapshot at the beginning of the

06:26

transaction again found by Trace

06:28

validation and last but not least an

06:31

implementation of vanilla raft based on

06:34

Diego angaro

06:36

specification um they made a deliberate

06:39

mistake to do to wrongly do the the

06:43

calculation of the quarum and in this

06:45

particular case due to this broken

06:47

arithmetic a candidate could receive a

06:50

quarum even though it didn't have one

06:52

right and then you would end up with

06:53

multiple leaders in the same term and

06:56

all of this was caught by Trace

06:58

validation but again spec driven

07:01

development and smaller systems I would

07:05

say but we've also been applying it to a

07:08

bigger system at CD I believe it has

07:11

44,000 stars on GitHub so it's

07:13

reasonable reasonably popular in the

07:16

internet might even show up another

07:18

track here of the

07:19

conference has almost 900 contributors

07:23

several releases so it's super mature

07:25

and the Microsoft product group wants to

07:28

bring a new feature to ET CD which is

07:30

called a witness support essentially you

07:32

bring down the operational cost of

07:34

running the cluster but instead of using

07:36

three nodes you only use two nodes plus

07:39

a

07:40

witness and they did Spectrum

07:43

development so they specified the

07:44

feature they even wrote a pen and paper

07:46

proof yet to be mechanized with gaps and

07:50

that's convincing to the ETD maintainers

07:53

that the algorithm works but how they

07:56

wondered how do we make sure that also

07:58

the implementation of this new witness

07:59

feature is correct and so we decided hey

08:03

first we will add Trace validation to at

08:05

CD yeah to vanilla at CD as it is right

08:08

now that's currently being tracked in

08:10

111 and it's nearing completion and then

08:13

in

08:14

133 uh the ra witness support will be

08:16

added to uh to at CD based then also on

08:20

the trace validation and one of the uh

08:23

maintainers here the Rio thinks that

08:27

Trace validation and TLC model checking

08:29

sort of

08:30

vital also along the way we didn't find

08:33

a safety Buck inet CD with Trace

08:35

validation unfortunately dang but we

08:38

found at least an inefficiency yeah so

08:41

if the database of some of the nodes has

08:45

to be um reined so you have to lose or

08:50

drop a suffix of the database at one Noe

08:53

and it has to resync with the other

08:55

nodes the node would go back too far

08:58

yeah and you would wait waste Cycles to

09:00

syn it back up again and that was found

09:02

by the by by trans

09:04

validation interesting little anecdote

09:07

here um Fang

09:09

90 who's I believe one of the founding

09:12

members of etcd apparently spoke with

09:15

fport and Jew in 2015 about ways to

09:19

generate an implementation from a

09:22

specification and Lamport and Drew were

09:24

like yeah there have been a few of

09:26

efforts but they weren't super

09:28

successful and I'm pretty sure that Finn

09:30

over there has a different opinion he

09:31

will talk about it after me so we leave

09:34

that for him but what um Lamport and

09:36

Juice addressed it was hey look how

09:39

about you write a mapping function that

09:42

takes the implementation State and

09:44

Compares that to the specification State

09:47

yeah AKA Trace validation so here some

09:49

eight years later we finally brought

09:52

Trace validation to

09:54

atcd and uh sort of the last experience

09:58

report in my talk today here is the

10:01

confidential Consortium framework CCF

10:03

done by Azure research it's graph

10:06

inspired it's not vanilla raft um it's

10:09

raft inspired crash fall tolerant

10:11

consensus it has Dynamic reconfiguration

10:14

we learned all about Dynamic

10:15

reconfiguration this morning and how

10:17

hard it is it also has cryptographic

10:21

guarantees built into the consensus uh

10:24

layer and it is the off Foundation of

10:27

some a Azure offerings

10:30

it's perhaps not as mature as uh at CD

10:34

but still reasonably mature has several

10:36

releases yeah foundational offering um

10:39

in aser and it's written in a highly

10:41

efficient programming language here that

10:43

everybody

10:47

loves since

10:49

2019

10:50

um or after 2019 actually around 2022

10:55

the team decided okay we have an

10:57

implementation now we all want a

11:00

specification I can only speculate about

11:03

the reasons and I won't do that but

11:05

somebody was tasked to write a

11:07

specification and they essentially

11:08

followed kelvin's outline here reverse

11:11

engineer the source code talked to

11:13

Engineers spent several months yeah

11:16

figuring out what the system actually

11:18

does and they model check that

11:20

specification they found issues

11:22

subsequently

11:24

corrected and then in 2023 we thought hm

11:28

perhaps we can do more let's try Trace

11:31

validation yeah they happen to have a

11:35

testing environment yeah some shim some

11:38

test driver to run multiple nodes on a

11:41

single computer and have them do things

11:43

so we took those 15 or so tests they had

11:47

and obtained the traces the executions

11:50

coming out of the tests to bring the

11:52

spec up to speed to update it and that

11:55

was a great process initially we found

11:57

lwh hanging things like okay okay in a

12:00

specification you can only have a send

12:01

an a pent entries message with a single

12:04

entry but the implementation may send

12:06

empty or Zero Entry entries or batches

12:08

of

12:09

entries it's okay to abstract it this

12:12

way on the other hand if you think of

12:13

batches those entries might be from

12:15

different terms and suddenly your

12:17

correctness might be a little bit

12:18

different yeah we added more and more

12:22

changes to the high level specification

12:24

because we knew knew it wasn't like up

12:26

to date and you can go on GitHub and

12:29

look at the 20 or so pull requests we

12:32

got a bit more ambitious later on um in

12:35

the sense that we added the

12:36

bootstrapping of notes to the

12:38

specification of how the bootstrapping

12:40

is done in the real system how the note

12:42

membership Works related to the

12:44

cryptographic guarantees and also how

12:46

note retirement works and how long nodes

12:48

have to stay around in order for the

12:50

system to remain

12:52

live and then we felt pretty pretty good

12:55

about our specifications so that we

12:57

decided now it's time to also do new

12:59

features based on the specification so

13:02

we sort of reversed from going backwards

13:05

to forwards and started to add request

13:09

propos request vote messages to the high

13:11

level specification and once we found

13:13

this worked works we implemented it um

13:17

in the

13:19

code later on we also experimented with

13:22

different network guarantees at the spec

13:24

level to see what kind of message

13:26

channels the implementation actually

13:29

needs what kind of guarantees it needs

13:31

does it need order delivery or can we

13:33

get away without order delivery we look

13:35

at those kinds of questions but most

13:39

surprisingly we found two data loss

13:42

issues um during Trace

13:46

validation so one was because we reuse

13:50

or CCF reuses the term field in a pent

13:53

entries messages and then due to some

13:56

unlucky reordering of of append entries

14:00

of stale append entries messages and

14:02

negative append entries message yeah in

14:04

other words some non-happy path the

14:07

system could lose data the commit index

14:09

could be Advanced past a quorum um and

14:12

then if a note uh crashes data is lost

14:17

the other one the second one was similar

14:19

node locally reused its match index

14:22

variable and that could also lead to

14:25

unsafely advancing the commit index and

14:27

again some nonha path

14:31

Behavior but now the big question

14:33

obviously is how is it possible that

14:35

Trace

14:36

validation yeah that we did starting

14:39

from passing tests we started with

14:42

passing tests those were green those

14:44

tests didn't lose data and they

14:45

obviously assured that the network

14:47

doesn't lose data or that the system

14:48

doesn't lose data well obviously if you

14:51

do Trace validation you don't do it in

14:54

isolation instead it's one more tool in

14:57

your T Plus Engineering ing verification

15:00

tool Bel you start with a trace that

15:02

fails and then iteratively you update

15:05

this high level specification or you

15:08

find hey I will leave the specification

15:11

a bit more abstract but in my Trace

15:13

specification I will formally document

15:16

this Divergence and I will show you what

15:18

that actually means later and then at

15:20

some point later you're at the point

15:22

that your traces all validate yeah and

15:25

that's great but you don't stop you keep

15:29

going and now do full scale

15:31

verification and that's when we found

15:33

that oh TLC suddenly finds violations of

15:35

the core correctness properties of our

15:38

specification H so this could have been

15:40

a speack buck yeah just because we find

15:44

an issue at the level of the

15:45

specification doesn't necessarily mean

15:47

that the implementation is also

15:49

vulnerable so we manually

15:52

translated TLC's counter example into a

15:56

new test or into new tests multiple test

16:00

with which we confirmed that the Bucks

16:02

are present also in the

16:03

implementation bucks are great to show

16:06

that H sorry tests are great to show

16:08

that bucks are present not so much that

16:10

there are no bucks right luckily t plus

16:14

counter examples are typically

16:16

relatively short so this exercise wasn't

16:19

super hard but it would be nice to do

16:21

this in an automated fashion and that's

16:23

going to resurface in our uh in the

16:25

future work section of this presentation

16:27

here okay knowing that the

16:30

implementation was vulnerable we then

16:33

obviously came up with a fix at the

16:35

level of the

16:37

specification again did a hell of a

16:39

model checking simulation and everything

16:41

ideally you could also do ethereum

16:42

proving at this point again before we

16:45

rolled the fix in the

16:50

implementation okay questions so

16:53

far yeah

17:02

like you're doing like like 10,000

17:04

requests a second or staying up for like

17:06

a couple weeks or something like that

17:08

how do you test something like that with

17:09

t where you need like a huge load or no

17:12

no we don't need a huge load in t so a

17:16

your specification is highly abstract

17:19

and removes a lot of the detail that is

17:21

irrelevant to finding these issues and

17:23

like Kelvin said by default everything

17:26

in TLA plus is sort of concurrent the

17:29

model Checker will check all the

17:30

possible combinations of these actions

17:33

it sort of finds these things and you

17:36

use the small scope hypothesis you don't

17:39

test this with 40 notes but with three

17:42

or five notes and then those bucks

17:45

become more

17:49

likely okay so I keep going because now

17:52

it's time for the trace validation mini

17:54

tutorial based on ewd

17:57

998 this is really just an excert if you

17:59

want to see the the long version go to

18:02

this pull request where I try to

18:04

summarize uh everything as best as

18:07

possible in various

18:09

commits so in order to do Trace

18:11

validation you have to understand what

18:13

the actual system is and it's this

18:15

termination detection um algorithm Zack

18:19

and other folks here in the audience are

18:22

experts in this system now it's pretty

18:25

easy you have a distributed system and

18:28

they carry out some computation that

18:31

involves sending messages back and forth

18:34

so you send a message from node a to

18:35

node B and note B receives the message

18:39

and then sometime later if nodes run out

18:42

of work they decide to deactivate yeah

18:45

go idle until they receive another

18:49

message yeah and now detecting

18:52

termination here seems easy you just

18:54

look if all the notes are deactivated

18:57

but if you don't have a control play

18:59

like in a cloud environment you somehow

19:02

have to do this inside of a distributed

19:04

system and that's where our token

19:07

passing kicks in yeah we have some note

19:10

who passes a token around a ring a

19:12

topologic a logical topology of our

19:16

notes and after multiple rounds of this

19:18

token passing the initiator can infer

19:22

based on the state of the token that the

19:24

system has

19:25

terminated yeah I'm glossing over lots

19:28

and lots of detail detail here obviously

19:29

and I don't expect you to fully grock

19:31

the algorithm the main takeaway is we

19:34

have three actions send receive and

19:36

deactivate and they model asynchronous

19:39

message delivery and we have two other

19:42

action initiate token and pass token

19:45

that model the synchronous or Atomic

19:48

token passing in our high level

19:51

specification

19:53

okay in pictures the ex an execution of

19:57

the system may look like this

19:59

now we have six notes Here some of which

20:01

are active some are inactive they send

20:04

messages back and forth and this green

20:07

thing that starts traveling around the

20:08

ring now is our

20:11

token and the RDR SDR is the local

20:15

system blck yeah this sort of the event

20:18

of actions that happen at each one of

20:21

the

20:21

notes okay now you know how this how the

20:24

system approximately looks

20:27

like when when and where do I lock in

20:30

the

20:30

implementation when and where do I keep

20:32

systems

20:35

stay I do this in only two places when a

20:39

no send node sends a message and when a

20:43

node receives a message and for no real

20:46

reason I choose to use Json as my wire

20:49

and lock uh format could have been any

20:51

format right but when a node sends a

20:53

message it writes it to the socket and

20:55

since it's already serialized I might as

20:58

well write it to to S3 out into my fancy

21:01

logging

21:02

library and receive messages

21:06

similar so then what does this ominous

21:10

Trace specification look like that reads

21:13

the log file into t+ behaviors this is

21:17

it yeah it only contains the real one is

21:20

a bit longer I will show it

21:22

afterwards we extend the original

21:25

specification because there are so many

21:27

useful definitions that we just when we

21:28

reuse in our lowlevel specification we

21:31

also extend Json and Vector clock

21:34

because they have useful definitions to

21:36

order and read our loog files and then

21:40

the only other variable that this

21:42

specification declares is the length

21:46

variable which is our offset into the

21:49

log yeah how many lines of the log have

21:51

we already

21:55

processed and then we have five actions

21:59

here's only one is sent message that

22:01

essentially checks if there are still

22:03

more lock lines to be consumed yeah if

22:06

length is in the domain of the lock we

22:08

bump length and check if the event in

22:12

the lock is a scent event if it's a

22:14

scent event and the message that was

22:17

sent its type is a payload PL message

22:20

well then we know this has to be a sent

22:22

message action of the high level

22:24

specification ewd 998 Chen

22:28

and the argument to that is the identity

22:31

of our sender

22:33

node and the angel send message subar

22:37

makes sure that the variables of the

22:38

high level specification actually

22:44

change and then the last line it's

22:46

technically not strictly necessary but I

22:50

happen to Define sent message on the

22:52

high level specification in the typical

22:55

t plus fashion in other words I Ed

22:58

existential quantification to select the

23:00

receiver node yeah send messages defined

23:03

there exists a node in the set of O

23:05

nodes such it such that its inbox in the

23:08

next state contains one more message and

23:11

with a system of say six nodes we would

23:14

have six successor States for the

23:17

current state current state uh for a

23:19

send message action but clearly we can

23:22

do better we can prune away five of

23:24

those six states to limit States space

23:27

explosion

23:28

and have this constraint down here do

23:32

that yeah that's

23:34

it so let's see ah this is what I wrote

23:40

about

23:42

okay this just way too small but I can

23:46

make it bigger now I only have to find

23:49

my

23:50

mouse so here's our S no this is pass

23:54

token this a send message yeah so this

23:57

is send message the one we we had on the

23:59

slide

24:01

oh okay well you see the five actions

24:04

here and they all look pretty much the

24:06

same maybe I have to move around

24:11

here send messages up here but it's the

24:14

same pattern or repeat it all over right

24:17

so let's see if we can now validate a

24:21

trace that I previously

24:24

recorded n TLC says oh no sorry no can

24:29

do this Trace doesn't validate dang so

24:32

what's the problem

24:36

here where is

24:38

this so the problem is that our lock

24:41

file because we only lock send and

24:43

receive events only contains the line

24:47

that says note number two passes the

24:49

token to note number

24:51

one when the token is in transit on The

24:54

Wire we have no control over the wire

24:56

and sometime lat later there's a lock

24:58

line that says note number one receives

25:01

this token from note number

25:03

two asynchronous message delivery yeah

25:07

but in our specification token passing

25:10

is

25:11

atomic it arrives at the destination in

25:14

a single step yeah so there is a

25:17

mismatch here in terms of the alignment

25:19

of the behaviors but TAA plus has us

25:22

covered we just add a stuttering step

25:25

into our um Trace Behavior here

25:28

by adding a definition called is receive

25:32

token which you can see doesn't change

25:35

any of the

25:36

variables if we go back to our

25:40

specification if I find my

25:43

pointer

25:45

it's this guy here and it says unchanged

25:49

variables yeah it does it leaves the

25:51

high level um variables unchanged it

25:54

just allows us to introduce a stuttering

25:56

step you could have also pre process the

25:59

lock and eliminate those lock lines but

26:02

I think that's ugly I don't like

26:06

that okay so let's

26:10

add that

26:12

conjunct n

26:16

sorry to our specification and

26:19

check

26:21

again and still we we don't manage to uh

26:25

validate the trace but I think we made

26:28

progress we now are at step number five

26:31

now we moved from two to five

26:35

yeah and now I have to do this again and

26:38

the problem here is okay previously we

26:41

had to do had to introduce a stuttering

26:44

step but now a note is only allowed to

26:49

send a token if it's

26:51

inactive but nowhere do we lock that

26:53

noes deactivate that's also not in our

26:56

lock yeah this is the one of the h that

26:58

I mentioned

27:00

earlier and in order to account for this

27:02

we have to allow nodes to

27:05

non-deterministically go to inactive

27:08

while they pass the token and this is

27:11

done by composing the high level action

27:14

deactivate with the highle action pass

27:17

token with the action composition

27:20

operator that has recently been added to

27:23

TLC or support of which has recently

27:26

been implemented in TLC see so we see

27:29

there exists an ion node such that i

27:32

deactivates c. pass token it does this

27:36

in one

27:37

step

27:39

and now if I check this new

27:46

specification it

27:48

passes

27:50

um

27:53

great so let's go back to here

28:00

but what is it we actually

28:02

verify when we do Trace validation we do

28:05

the intersection right but TLC only has

28:09

invariance and

28:10

properties at least historically yeah

28:13

safety and liveness

28:14

properties this isn't a safety property

28:17

what should be the safety property this

28:18

is not a state level formula that we can

28:20

check

28:21

here you might be tempted to check

28:25

deadlock but I don't know I guess I went

28:27

to too fast the diameter in model

28:30

checking was something like 150 but the

28:33

number of distinct States was 156 or so

28:36

because there were a few states in the

28:38

state

28:39

graph

28:41

that uh due to

28:43

nondeterminism which would violate our

28:45

deadlock check so we would see spirous

28:47

counter examples because these states

28:49

don't have successor States and for the

28:52

same reason we can't use a liveness

28:53

property like eventually always the

28:55

length of the loog is equal to the Leng

28:58

or the length variable is equal to the

29:00

length of the lock would also produce a

29:02

spirous counter example what we really

29:04

want to check is a CTL property there

29:06

exists a path in the set of all

29:08

behaviors such that the length variable

29:11

is equal to the length of the lock but

29:13

we can't express that in TLA

29:16

plus the next best workaround if you

29:20

want something like a counter example is

29:23

this livess here that's a bit convoluted

29:26

that I had to abbreviate to fit on the

29:27

SL

29:28

which essentially says for as long as we

29:31

are not at the point where length is

29:34

equal to the length of the lock TLC

29:37

still has unexplored sucess unexplored

29:39

States in its state

29:41

CU it's very technical very

29:44

messy but you get some candidate

29:47

Behavior as a counter example but the

29:49

real property that you want to check

29:51

because as I will argue in a minute

29:53

there are no counter examples here the

29:56

real property to check is that that the

29:58

longest behavior that TLC

30:01

generated the diameter is equal to the

30:04

length of the loog that says there

30:06

exists a p a behavior and the set of

30:08

other behaviors whose length is the

30:10

length of the

30:13

lock and

30:15

then a violation

30:19

to um Trace validation would be a graph

30:23

that looks like can I find this is that

30:26

Trace TR

30:36

that looks

30:38

like this

30:40

here and if you scroll in there are many

30:45

points obviously you want to do this on

30:47

a bigger computer um screen rather um

30:53

you see TLC finds all these Alternatives

30:55

and some of which have been excluded

30:57

those are the yellow States they have

30:59

been excluded due to our last conjunct

31:02

and sent message but perhaps those will

31:05

be the real States the real path to

31:09

fully match the lock and that's why I

31:11

argue you always have to look at the

31:13

graph rather than individual counter

31:16

examples because those B counter example

31:18

might be a red

31:20

herring and by the way the t plus

31:23

debugger can help you figure out where

31:27

the validation fails because you can set

31:30

a dedicated space uh break point and

31:32

then it will hold the moment debugger

31:34

will hold the moment it starts rejecting

31:37

uh

31:47

States okay so in the two ra based

31:53

systems how much logging did we have to

31:56

add

31:58

in the case of at CD we added logging in

32:00

11 places and in CCF we did so in 15

32:04

places and it's really essentially STD

32:06

out yeah there is no convoluted logging

32:09

library that we make you buy into we

32:11

also don't require some deterministic

32:13

hypervisor it's really your system

32:16

running in your environment just logging

32:19

yeah we log when messages are sent and

32:21

received because CCF is written in C++

32:24

there are multiple places where messages

32:26

are sent anded that's why there's this

32:29

difference in number of lock places plus

32:32

we also decided that we lock in our

32:36

testing infrastructure when it

32:39

deliberately loses a

32:41

message we could have gone without but

32:44

we found that the nondeterminism that we

32:47

had to introduce in the trace

32:49

specification brought the verification

32:52

validation time up from seconds to a few

32:54

minutes so we decided okay we will lock

32:56

this into that to yeah really make uh

33:00

model checking or Trace validation super

33:02

fast in general lock when messages are

33:05

sent and received yeah you won't have

33:08

issues with inadvertent deadlocking your

33:11

system because when you after things

33:13

have been serialized before they get

33:16

deserialized back into your system there

33:18

are no locks anymore that can go could

33:20

go into your way and then ideally

33:23

additionally also lck any observable

33:27

node local State

33:28

changes the nodes going inactive in my

33:32

ewd 998 example I could have also uh

33:36

locked to STD out right they just

33:39

decided for the purpose of this mini

33:41

tutorial here to not do

33:44

that also include primed and the

33:47

unprimed variables to strengthen your

33:50

matching and try

33:53

to or only lock constant size variables

33:58

yeah don't lock the content of your

34:00

database you don't want it every state

34:02

right the database to STD out that

34:04

wouldn't be feasible right goes without

34:08

saying in order to synchronize your

34:10

clocks uh sorry synchronize or order

34:13

causally order your lock files you can

34:15

use a centralized clock if you have to I

34:18

find it way more elegant to use logical

34:22

distributed clock like a vector clock a

34:24

Lamport

34:25

clock um perhaps space is prohibitive

34:29

because you have so many nodes then use

34:31

a Lamport clock I would even argue you

34:33

want this distributed clock even if you

34:35

don't do Trace validation to just make

34:37

sense of your lock files right if you

34:41

want to do Vector clocks we have a

34:43

vector clock module in the community

34:45

modules it has a Java module override to

34:47

make things fast we stole the code from

34:50

the shivas project to sort the vector

34:53

clocks and as a bonus if you have Vector

34:57

clocks you can use Ivan's beautiful shiv

35:00

Vis tool to visualize the nodes of your

35:03

system and how they communicate Yeah you

35:05

sort of get that for free don't have

35:07

time for a demo but it's great and I'm

35:10

pretty sure Ivan is willing to give you

35:12

a demo if you want

35:14

to so to wrap up I hope to have

35:18

convinced you that the t plus tools are

35:20

mature enough to narrow the Spectra code

35:23

Gap yeah I hope we get an an a from Mark

35:27

for our homework here because yeah as

35:30

you've seen Trace validation found spect

35:32

to code divergences in all seven systems

35:36

we found

35:37

non-trivial uh bugs in Real World

35:40

Systems it was also beautiful to reverse

35:43

engineer CCF yeah updating the

35:46

specification based on a trace perhaps

35:49

beautiful as to to optimistic I was

35:52

staring at this one debugger and this

35:54

other debugger and trying to compare

35:55

values perhaps not beauti

35:58

but it was at least better than just uh

36:00

throwing arrows in the

36:02

dark and more importantly from now on

36:04

forward cicd runs this Trace validation

36:08

on every commit so if some non-la plus

36:10

engineer changes CCF in a way that

36:13

breaks the specification we will likely

36:15

find it clearly this stuff requires t

36:18

plus

36:19

expertise but if you don't have a high

36:22

LEL specification or if you don't have a

36:23

t plus expert you don't have a t plus

36:26

high level specification right so PR

36:28

validation kind of becomes a mood

36:31

anyway and I'm kind of proud that this

36:34

most recent pull request

36:37

6119 that was opened last week was

36:40

opened by an engineer he's pretty clever

36:43

but he only had two days of TL plus

36:45

training and this pull request brings T

36:47

TR validation to another specification

36:49

at

36:51

cclf okay what's

36:53

next well does trace validation

36:56

generalize I think we now have have nine

36:58

or so systems where it had provided

37:02

value one thing that you could argue is

37:05

well most of them were raft and more

37:08

importantly the raft specification is

37:10

super low level from the perspective of

37:12

t plus yeah if you look at the pexa

37:15

specification it's way more high level

37:17

and one might wonder if you would still

37:20

find so many issues with a more high

37:22

level

37:23

specification but at least in the case

37:25

of raft it works and in TLA plus we can

37:28

always refine specifications even if you

37:30

start with a high level spec could

37:32

gradually refine it to bring it closer

37:34

to the implementation then do Trace

37:37

validation we haven't really done this

37:39

at scale yet AKA

37:42

production that's something to be done

37:45

and in order to handle this case with

37:47

the uh the drop messages we implemented

37:50

a true depth for search mode in

37:52

TLC that uh made things significantly

37:56

faster because if you think about it if

37:58

you only check the intersection it

37:59

suffices to find one behavior in the

38:02

intersection then you can stop you don't

38:03

have to exhaustively change search the

38:05

state

38:07

space what's missing here is sort of the

38:10

companion

38:11

of um Trace validation which I would say

38:15

call like something like model based

38:16

testing that helps you generate diverse

38:19

sets of behaviors yeah and

38:22

ideally it would also be able to take

38:25

counter examples and Translate those

38:28

into system tests so that you don't have

38:31

to do this manual translation if the

38:33

high level verification finds there's

38:35

something off alternatively you can

38:37

obviously try fuzzing or chaos

38:40

engineering to penetrate the dark

38:42

corners of your implementation State

38:44

space and with Trace validation you at

38:47

least have a notion of coverage now

38:50

because you can look at the spec

38:52

coverage okay thank you

38:57

[Applause]

39:00

thank you do we have

39:08

questions H it was interesting to see

39:10

seven out of seven there um so uh kind

39:14

of to Mark's Point earlier does this

39:16

starting to feel like something where

39:19

it's as important to do in terms of

39:21

rather we're saying hey it's really

39:23

important to do this spec but handwave

39:24

handwave not so important to that's

39:26

going to translate easily so where's

39:27

your where's your feeling on that of

39:30

import level of importance after seeing

39:32

again seven out of

39:34

seven yeah I think I'm surprised how

39:37

effective it is um the kind of return on

39:40

invest here seems to be pretty high um

39:43

CCF I believe I worked a couple of

39:46

months on it but majority of the time

39:50

was spent on updating the t plus tools

39:53

um if an if a system expert would have

39:56

written the tra specific it would have

39:58

been faster I sort of had to understand

40:00

the system

40:03

also thanks for a great talk Marcus I

40:06

was wondering

40:08

about you know like you've described J

40:10

validation it's it's I essentially I see

40:12

it as a onetime cost effort for trying

40:15

to map like a specific system to a

40:17

specific model but then there's also

40:19

these like more General funny language

40:21

tools like pigo and things that people

40:23

have been working on that are trying to

40:25

basically raise the level or you know

40:27

decrease low of abstraction if you will

40:29

on the model side and have a kind of a

40:31

more mechanized mechanized path to

40:34

implementation I just wondering about

40:35

the the trade-offs between these and

40:37

maybe you could speak to you know like

40:40

when is

40:41

trash yeah just maybe maybe more

40:44

abstractly about about Trace validation

40:46

and maybe pros and cons as compared to

40:48

that yeah I think I mean it's a great

40:50

idea to generate the implementation from

40:52

the specification of that works but I

40:54

think a current constraint of that say

40:57

that it has to be a green field project

40:59

and this was also of Brownfield yeah you

41:02

have an existing implementation and I

41:04

think that's where Trace validation sort

41:06

of has the biggest return on invest um

41:10

yeah Green Field I would probably try to

41:11

do something like P go first generate as

41:14

much as possible be principled in the

41:16

way how I implement the system and have

41:18

to manually do it and then would

41:20

probably get

41:22

yeah would feel better about the

41:24

implementation if I would apply that

41:26

technique

41:30

additional

41:35

questions okay y have to decide that du

41:38

it

41:41

out Hey so uh recently the whole thing

41:46

about like

41:49

subjecting um distributed systems to I

41:52

guess sort of chaos engineering and

41:54

traces and stuff uh got shaking up with

41:58

the publication of the antithesis system