Contracts for building reliable systems

Contracts for building
robust systems
Chris Keathley / @ChrisKeathley / [email protected]

View Slide

Confession

View Slide

I like dynamic languages

View Slide

robust systems

View Slide

robust systems
Correct

View Slide

Correctness: the
quality or state of being
free from error; accuracy.

View Slide

Robust: able to
withstand or overcome
adverse conditions.

View Slide

My life
Service
Service
Service
Service
Service

View Slide

My life
Service
Service
Service
Service
Service
Teams

View Slide

My life
Service
Service
Service
Service
Service
Teams
Me

View Slide

Session
Types

View Slide

My life
Service
Service
Service
Service
Service
Teams
Me

View Slide

Correctness

View Slide

Correctness(t)
Correctness over time

View Slide

Change

View Slide

Change
Growth Breakage

View Slide

Changes
Service Service

View Slide

Changes
Service Service
Expects users

View Slide

Changes
Service Service

View Slide

Changes
Service Service
User{}

View Slide

Changes
Service Service

View Slide

Changes
Service Service
Now you can send me
Users or Cats

View Slide

Changes
Service Service
Now you can send me
Users or Cats
User{}

View Slide

Changes
Service Service

View Slide

Changes
Service Service
Now you can only send me Cats

View Slide

Changes
Service Service
Now you can only send me Cats
User{}

View Slide

Breaking
changes require
coordination

View Slide

Why does software change?

View Slide

Aesthetics

View Slide

Aesthetics
Refactors

View Slide

Refactor?

View Slide

Aesthetics
Refactors

View Slide

Aesthetics Technology
Refactors

View Slide

Requirements
Refactors

View Slide

Requirements
Tacitly expects no breaking changes
Refactors

View Slide

We want to ensure
that we didn’t break
the api while allowing
for growth

View Slide

Lets talk about…
Contracts
Data speciﬁcation
Testing strategies

View Slide

function

View Slide

function
Input

View Slide

function
Input Output

View Slide

function
Input Output
Side-effects

View Slide

function
Input Output
Side-effects
Enforce the callers are correct

View Slide

function
Input Output
Side-effects
Enforce the callers are correct
Ensure the function is correct

View Slide

function
Input Output
Side-effects

View Slide

function
Input Output
Side-effects
Pre-conditions Post-conditions

View Slide

rgb_to_hex

View Slide

rgb_to_hex(0, 10, 32) => “#000A20”

View Slide

rgb_to_hex ::

View Slide

rgb_to_hex :: Integer -> Integer -> Integer

View Slide

rgb_to_hex :: Integer -> Integer -> Integer -> String

View Slide

0 <= x <= 255

View Slide

0 <= x <= 255
Starts with a ‘#’

View Slide

0 <= x <= 255
How do we type this?

View Slide

Dependent
Types

View Slide

0 <= x <= 255
How do we type this?

View Slide

0 <= x <= 255
How do we type this? (today)

View Slide

Design by
Contract
github.com/JDUnity/ex_contract

View Slide

defmodule Contractual do
use ExContract
def rgb_to_hex(r, g, b) do
#…
end
end

View Slide

use ExContract
requires is_integer(r) and 0 <= r and r <= 255
requires is_integer(g) and 0 <= g and g <= 255
requires is_integer(b) and 0 <= b and b <= 255
#…
end
end

View Slide

use ExContract
ensures is_binary(result)
ensures String.starts_with?(result, "#")
#…
end
end

View Slide

use Vow
#…
end
end
This is your invariant

View Slide

What happens when we get an error?
rgb_to_hex(-10, 300, 0.5)

View Slide

What happens when we get an error?
rgb_to_hex(-10, 300, 0.5)
** (ExContract.RequiresException)
Pre-condition ["is_integer(r) and 0 <= r and r <= 255"] violated.
Invalid implementation of caller to function [rgb_to_hex/3]

View Slide

Don’t we already have
guard clauses?

View Slide

We can also check side-effects
requires !check_in_db?(user), "user should not be stored"
ensures check_in_db?(user), "user should be stored"
def store_user(user) do
# ...
end

View Slide

We can also check side-effects
requires !check_in_db?(user), "user should not be stored"
ensures check_in_db?(user), "user should be stored"
def store_user(user) do
# ...
end
Shouldn’t be in the db
afterwords it should

View Slide

Contracts
are powerful

View Slide

Isn’t this
really slow?

View Slide

Yes!

View Slide

Lets talk about…
Contracts
Data speciﬁcation
Testing strategies

View Slide

use ExContract
#…
end
end

View Slide


View Slide

is_integer(r) and 0 <= r and r <= 255
is_integer(g) and 0 <= g and g <= 255
is_integer(b) and 0 <= b and b <= 255
is_binary(result)
String.starts_with?(result, "#")

View Slide

is_integer(r) and 0 <= r and r <= 255
is_integer(g) and 0 <= g and g <= 255
is_integer(b) and 0 <= b and b <= 255
is_binary(result)
String.starts_with?(result, "#")
Is the data correct?

View Slide

Norm

View Slide

is_integer(r) && 0 <= r and r <= 255
is_integer(g) && 0 <= g and g <= 255
is_integer(b) && 0 <= b and b <= 255
is_binary(result) && String.starts_with?(result, "#")
Norm

View Slide

def rgb, do: spec(is_integer() and (& 0 <= &1 and &1 <= 255))
is_binary(result) && String.starts_with?(result, "#")
Norm

View Slide

def hex, do: spec(is_binary() and (&String.starts_with?(&1, "#")))
Norm

View Slide

Norm
conform!(123, rgb())
123

View Slide

Norm
conform!(123, rgb())
123
conform!(-10, rgb())
** (Norm.MismatchError) Could not conform input:
val: -10 fails: &(0 <= &1 and &1 <= 255)
(norm) lib/norm.ex:385: Norm.conform!/2

View Slide

use ExContract
#…
end
end

View Slide

use ExContract
def rgb, do: spec(is_integer() and &(0 <= &1 and &1 <= 255))
#…
end
end

View Slide

use ExContract
def rgb, do: spec(is_integer() and &(0 <= &1 and &1 <= 255))
requires valid?(r, rgb()) and valid?(g, rgb()) and valid?(b, rgb())
ensures valid?(result, hex())
#…
end
end

View Slide

Norm can match on
atoms and tuples

View Slide

Conforming atoms and tuples
:atom = conform!(:atom, :atom)
{1, "hello"} = conform!(
{1, "hello"},
{spec(is_integer()), spec(is_binary())})
conform!({1, 2}, {:one, :two})
** (Norm.MismatchError)
val: 1 in: 0 fails: is not an atom.
val: 2 in: 1 fails: is not an atom.

View Slide

{:ok, spec(is_binary())}

View Slide

result_spec = one_of([
{:ok, spec(is_binary())},
{:error, spec(fn _ -> true end)},
])

View Slide

result_spec = one_of([
{:ok, spec(is_binary())},
{:error, spec(fn _ -> true end)},
])
{:ok, "alice"} = conform!(User.get_name(123), result_spec)
{:error, "user does not exist"} = conform!(User.get_name(-42), result_spec)

View Slide

We can compose
specs into schema’s

View Slide

Norm supports Schema’s
user_schema = schema(%{
user: schema(%{
name: spec(is_binary()),
age: spec(is_integer() and &(&1 > 0))
})
})

View Slide

user: schema(%{
})
})
input = %{user: %{name: "chris", age: 30, email: “[email protected]"}

View Slide

user: schema(%{
})
})
conform!(input, user_schema)
=> %{user: %{name: "chris", age: 30}}

View Slide

user: schema(%{
})
})
conform!(input, user_schema)
=> %{user: %{name: "chris", age: 30}}
Can start sending us
new data whenever
they need to

View Slide

Norm supports optionality
user: schema(%{
})
})

View Slide

user: schema(%{
})
})
How do you mark
a key as optional?

View Slide

Optionality is deﬁned
by the callsite. Not
the data structure.

View Slide

Optionality
plug
plug
plug
assigns: %{}

View Slide

Optionality
assigns: %{}
plug
plug
plug

View Slide

Optionality
assigns: %{}
plug
plug
plug
Assigns a
user id

View Slide

Optionality
assigns: %{user_id: 42}
plug
plug
plug
Assigns a
user id

View Slide

Optionality
plug
plug
plug

View Slide

Optionality
plug
plug
plug
Requires the
user id

View Slide

user: schema(%{
})
})

View Slide

user: schema(%{
})
})
just_age = selection(user_schema, [user: [:age]])

View Slide

user: schema(%{
})
})
just_age = selection(user_schema, [user: [:age]])
conform!(%{user: %{name: "chris", age: 31}}, just_age)
=> %{user: %{age: 31}}

View Slide

Lets talk about…
Contracts
Data speciﬁcation
Testing strategies

View Slide

test "rgb works correctly" do
end

View Slide

assert rgb_to_hex(0, 10, 32)
end

View Slide

assert rgb_to_hex(nil, [:cat], "hey!")
end

View Slide

assert rgb_to_hex(-10, 300, 0.5)
end

View Slide

assert rgb_to_hex(-10, 300, 0.5)
end
Known Knowns

View Slide

“Writing unit tests is a
waste of time”
- John Hughes

View Slide

“Writing unit tests is a
waste of time”
- John Hughes
- Chris Keathley

View Slide

We already know what
kind of data we want

View Slide


View Slide

rgb_gen = Norm.gen(rgb())
Lets generate it instead

View Slide

rgb_gen = Norm.gen(rgb())
rgb_gen |> Enum.take(5)
[124, 4, 172, 217, 162]

View Slide

test "but good this time" do
check all
end
end
Generates values

View Slide

check all
end
end

View Slide

check all r <- gen(rgb()),
end
end

View Slide

g <- gen(rgb()),
end
end

View Slide

g <- gen(rgb()),
b <- gen(rgb()) do
end
end

View Slide

g <- gen(rgb()),
b <- gen(rgb()) do
end
end
What test do we
write?

View Slide

use ExContract
#…
end
end

View Slide

g <- gen(rgb()),
b <- gen(rgb()) do
end
end

View Slide

g <- gen(rgb()),
b <- gen(rgb()) do
assert rgb_to_hex(r, g, b)
end
end

View Slide

So now
what?

View Slide

“Great artists steal”
Ada
Eiffel
Haskell
Python
Clojure

View Slide

Links and references
https://en.wikipedia.org/wiki/Design_by_contract
https://www.clojure.org/about/spec
https://www.cs.tufts.edu/~nr/cs257/archive/john-hughes/quick.pdf
https://people.seas.harvard.edu/~chong/pubs/icfp17-whip.pdf
https://www.youtube.com/watch?v=ROor6_NGIWU
https://arxiv.org/abs/1607.05443

View Slide

Special Thanks!
* Jeff Utter
* Jason Stewart
* Lance Halvorsen
* Greg Mefford
* Jeff Weiss
* The Outlaws

View Slide

Thanks!

View Slide

Contracts for building reliable systems

Contracts for building reliable systems

Chris Keathley

More Decks by Chris Keathley

Other Decks in Programming

Featured

Transcript