Formal-Methods on Andrew Helwer
https://ahelwer.ca/tags/formal-methods/
Recent content in Formal-Methods on Andrew HelwerHugoen-usTue, 28 May 2024 00:00:00 +0000TLA⁺ Unicode support
https://ahelwer.ca/post/2024-05-28-tla-unicode/
Tue, 28 May 2024 00:00:00 +0000https://ahelwer.ca/post/2024-05-28-tla-unicode/TLA⁺ was developed by Leslie Lamport, originator of \(\LaTeX\), so it’s unsurprising that TLA⁺ syntax looks pretty \(\LaTeX\)-y. It’s a very mathy language, with much use of symbols like (among others) \A,\E, /\, \/, and \in denoting \(\forall\), \(\exists\), \(\land\), \(\lor\), and \(\in\) respectively. The language tools include a tla2tex command to format TLA⁺ specs into \(\LaTeX\) for integration in research papers. However, research papers are not where I spend the most time looking at TLA⁺.Wrangling monotonic systems in TLA⁺
https://ahelwer.ca/post/2023-11-01-tla-finite-monotonic/
Wed, 01 Nov 2023 00:00:00 +0000https://ahelwer.ca/post/2023-11-01-tla-finite-monotonic/TLA⁺ sees a lot of use modeling distributed systems. The ability to explore all possible interleavings of events makes concurrency simple to reason about. For this TLA⁺ uses something called finite model-checking, which is really just a breadth-first search through the entire state space. The key here - and this really must be emphasized - is that the model is finite. There can’t be an infinite number of states, or of course the model checker will run forever.Using TLA⁺ at Work
https://ahelwer.ca/post/2023-04-05-checkpoint-coordination/
Wed, 05 Apr 2023 00:00:00 +0000https://ahelwer.ca/post/2023-04-05-checkpoint-coordination/Here’s a short report of a time I used TLA⁺ at work, with interesting results. TLA⁺ is a formal specification language that is particularly effective when applied to concurrent & distributed systems. TLA⁺ made it tractable for an ordinary software engineer to reason about a tricky distributed systems problem, and it found a bug introduced by an “optimization” I tried to add (classic). The bug required 12 sequential steps to occur and would not have been uncovered by ordinary testing.Pseudocode Showdown
https://ahelwer.ca/post/2023-03-30-pseudocode/
Thu, 30 Mar 2023 00:00:00 +0000https://ahelwer.ca/post/2023-03-30-pseudocode/Last weekend I had a conversation with an undergraduate student new to computer science, who was reading CLRS. “I wish” they said, “that all the pseudocode in my algorithms textbook was just written in Python.” “Ah” I said, “but textbook authors sometimes want their work to endure beyond a decade.” “But Python’s been around for a long time” came the reply, “and it’s very readable, and you can’t execute pseudocode anyway so what’s the harm?Writing a TLA⁺ tree-sitter grammar
https://ahelwer.ca/post/2023-01-11-tree-sitter-tlaplus/
Wed, 11 Jan 2023 00:00:00 +0000https://ahelwer.ca/post/2023-01-11-tree-sitter-tlaplus/2021 saw the completion of my first substantial free software project: a TLA⁺ grammar for tree-sitter, the error-tolerant incremental parser generator. The project stabilized & found users over the course of 2022, then over the holidays I used it to build the TLA⁺ Unicode Converter. The new year is a time to reflect on the past and look to the future, so here in early 2023 seems ideal to publish my experience.The Missing Prelude to The Little Typer's Trickiest Chapter
https://ahelwer.ca/post/2022-10-13-little-typer-ch9/
Thu, 13 Oct 2022 00:00:00 +0000https://ahelwer.ca/post/2022-10-13-little-typer-ch9/It’s hard to find a textbook series garnering more effusive praise than The Little Schemer, The Little Prover, The Little Typer & co. The Little Typer introduces dependent type theory and is the first of the series I’ve read. I quickly grew to appreciate & enjoy its dialogue-based presentation - I’m a real convert! I might release future didactic blog posts as a dialogue rather than straight recitation of material in block paragraphs.Regexes in the Z3 Theorem Prover
https://ahelwer.ca/post/2022-01-19-z3-rbac/
Wed, 19 Jan 2022 00:00:00 +0000https://ahelwer.ca/post/2022-01-19-z3-rbac/Republished from Teleport’s official blog (link). I received compensation from Teleport for writing this post.
Z3 is a satisfiability modulo theories (SMT) solver developed by Microsoft Research. With a description like that you’d expect it to be restricted to esoteric corners of the computerized mathematics world, but it’s made impressive inroads addressing conventional software engineering needs: analyzing network ACLs and firewalls in Microsoft Azure, for example. Z3 is used to answer otherwise-unanswerable questions like “are these two firewalls equivalent?How do you reason about a probabilistic distributed system?
https://ahelwer.ca/post/2020-09-11-probabilistic-distsys/
Fri, 11 Sep 2020 00:00:00 +0000https://ahelwer.ca/post/2020-09-11-probabilistic-distsys/In which I am stunted upon by coin flips Wasn’t too long ago that I felt pretty good about my knowledge of distributed systems. All someone really needed in order to understand them, I thought, was a thorough understanding of the paxos protocol and a willingness to reshape your brain in the image of TLA⁺. Maybe add a dash of conflict-free replicated datatypes, just so you know what “eventual consistency” means.Doing a math assignment with the Lean theorem prover
https://ahelwer.ca/post/2020-04-05-lean-assignment/
Sun, 05 Apr 2020 00:00:00 +0000https://ahelwer.ca/post/2020-04-05-lean-assignment/Note: this post was written for Lean 3; the latest version, Lean 4, is a very different language.
Turn back the clock to 2009: a confused physics major newly infatuated with math and computer science, I enrolled in MATH 273: Numbers and Proofs at the University of Calgary. This wasn’t my first encounter with mathematical proof; in first-year calculus I’d mastered rote regurgitation of delta-epsilon proofs. Despite writing out several dozen, their meaning never progressed beyond a sort of incantation I can summon to this day (for every \( \epsilon > 0 \) there exists a \( \delta > 0 \) such that…).Checking Firewall Equivalence with Z3
https://ahelwer.ca/post/2018-02-13-z3-firewall/
Tue, 13 Feb 2018 00:00:00 +0000https://ahelwer.ca/post/2018-02-13-z3-firewall/Lessons I’ve learned from software engineering are uniformly cynical:
Abstraction almost always fails; you can’t build something on top of a system without understanding how that system works. Bleeding-edge methods are a recipe for disaster Everything good is hype and you’ll only ever get a small fraction of the utility being promised. Imagine my surprise, then, when the Z3 constraint solver from Microsoft Research effortlessly dispatched the thorniest technical problem I’ve been given in my short professional career.Formal Verification, Casually Explained
https://ahelwer.ca/post/2018-02-12-formal-verification/
Mon, 12 Feb 2018 00:00:00 +0000https://ahelwer.ca/post/2018-02-12-formal-verification/Why are we here? What guarantees does formal verification provide? This question rests at the apex of a hierarchy of inquiry extending all the way down to how we can know anything at all!
What do we mean by software correctness? There are precisely two different ways for a piece of software to be correct:
The supreme deity of the universe descends from the heavens and decrees, with all the weight of Objective Truth, that a certain piece of software is correct.