If you’ve worked with Rust for a while, you’ve probably heard the phrase “making illegal states unrepresentable”. It’s a phrase that’s often used when people praise Rust’s type system. But what exactly does it mean? And how can you apply it to you…| Corrode Rust Consulting
Encoding business logic in types| fsharpforfunandprofit.com
Alloy Docs| alloy.readthedocs.io
This is just a way of thinking about formal specification that I find really useful. The terms originally come from Michael Jackson’s Software Requirements and Specifications. In specification, the machine is the part of the system you have direct control over and the world is all the parts that you don’t. Take a simple transfer spec: ---- MODULE transfer ---- EXTENDS TLC, Integers CONSTANTS People, Money, NumTransfers (* --algorithm transfer variables acct \in [People -> Money]; define \...| Hillel Wayne
Parse, don’t validate| lexi-lambda.github.io
Contact me here. Services: Workshops Talks Spec pairing and review Retainer services Workshops If you’re building complex, expensive systems, my workshops on software modeling can help you save hundreds of thousands in saved developer time and maintenance work. With my training you’ll learn how to Catch complex bugs that would take weeks or months to fix, and fix them before you start writing code. Build complicated systems quickly and with confidence.| Hillel Wayne
When teaching formal methods, I often get asked how we can connect the specifications we write to the code we produce. One way we do this is with refinement. All examples are in TLA+.1 Imagine we’re designing a multithreaded counter. We don’t know how we’re going to implement it yet, so we start by specifying the abstract behavior.2 ---- MODULE abstract ---- EXTENDS Integers, Sequences VARIABLES pc, counter vars == <> \* Two threads Threads == 1.| Hillel Wayne
Consider a data type that represents users, which includes “favorite people” and “blocked people”:1 data Person: favorites: set of Person blocked: set of Person We want a validation that says that these two sets are disjoint, a.k.a. no person can belong to both sets at once. We call these kinds of validations predicates, or boolean functions that correspond to our requirements. The predicates determine if a representable item is also a valid item.| Hillel Wayne