What, Why, and How of Formal Methods


Now that I’m one of the organizer of the formal methods meetup it has become a bit more clear why most programmers are not familiar with the general landscape of formal methods. It’s mostly a lack of awareness about what is available out there so to help fill in the awareness gap this post is meant to serve as a brief introduction to some of the vocabulary and high level concepts of formal methods.

This post consists of 3 main sections. 1st is about the general concepts and high level classification(s) of formal methods. 2nd is about why we should care about formal methods in software engineering. 3rd is about concrete applications of formal methods and some pointers for how to apply them in day to day software engineering.

Continue reading


Here are rules for a new game. Here is how it compares to some old games and some of the benefits and drawbacks. Here is why you should play and other similar games that you might like.

If you try to change the rules then existing players will treat you with extreme prejudice and strongly (potentially violently) recommend you play some other game.

All games are inherently mutable and meta-games are what keep them “stable”. Somewhat unsurprisingly, no one understands the meta-game logic and all players follow meta-game rules implicitly. Meta-game rules are only ever broken by accident. Cosmic bit flips, if you will, are inevitable.

There is strong suspicion there is more than one meta-game.

There is also strong suspicion meta-game rules are immutable so changing meta-games requires simultaneously changing all the rules which makes it a much bigger discontinuous change than just changing a single rule in a regular game.

In the presence of rigid meta-games it’s easy to imagine why regular games would be an obvious way to experiment with potential meta-game swaps. Meta-players would want reasonable assurance their game changes were “beneficial” to them according to some metric.

Most reasonable game players eventually conclude meta-games and meta-players must exist but it’s hard to know for sure because some reasonable players are willing to admit meta-games without meta-players.

Functions aren’t ready for Assembly

Inspired by https://drewdevault.com/2019/02/18/Generics-arent-ready-for-Go.html.

In the distance, a gradual roar begins to grow in volume. A dust cloud is visible over the horizon. As it nears, the shouts of the oncoming angry mob can be heard. Suddenly, it stops, and a brief silence ensues. Then the air is filled with the clacking of hundreds of keyboards, angrily typing the owner’s opinion about functions, calling conventions, and Assembly. The clans of Algol, Cobol, Fortan, C, Forth, Lisp, and more – usually mortal enemies – have combined forces to fight in what may become one of the greatest flamewars of our time. And none of them read more than the title of this article before writing their comment.

Continue reading

Modelling Rolling Deployments in Alloy


This post has a few goals. One is to outline how to think about a simple imperative process in a declarative language/system like Alloy. Another is to make a case for why this kind of formalization is a worthwhile exercise for software engineers.

Disclaimer: To get the most out of this post you need some familiarity with Alloy syntax otherwise most of it will probably not make much sense. I’ll try to explain things as I go along but promise no mind blowing revelations. As some old person used to say, “There are no royal roads”.

Continue reading

Individual Comfort

This is a response to

By being declarative and deterministic, and rendered in ordinary plain text, HTML and CSS conceal no surprises, which is likely why they are not considered “real programming” by “real” programmers. This property, however, makes them especially easy to learn. Moreover, they are all you need to learn in order to achieve a great many useful results in an open Web.


Continue reading

Learning Trick: Gamification

One really cool trick I’ve discovered over the years is gamifying the learning process. Instead of doing a linear pass through some learning material I approach it in a non-linear fashion and take various detours by asking dumb questions and taking them to their logical conclusion. The downside is that it’s somewhat more time intensive than a linear pass but the upside is it’s more fun and I seem to retain the information better.

Practical strace: Retrofitting Build Caching

If you look at a build process abstractly then it is basically a function that uses some files as inputs and creates some files as outputs. We can peek into this input/output process with strace by invoking the build script with strace and then asking it to log all file operations. After we recover the inputs and outputs we can retrofit a caching mechanism on top of the build process by hashing the inputs and using that as a key to save the outputs.

To make things more concrete I’m going to use a simple script as a stand-in for a build process

Continue reading

Portfolio Theory of Code/Systems

Most people agree that code is a liability. The more code you have the worse things get because more code means more entropy and more problems from emergent and unanticipated behavior. So most people agree that the less code you have the better. In this sense TDD is doing the wrong thing because TDD is just more code. Formal methods on the other hand are not code and they de-risk the code portfolio by offloading parts that would be code into something that is not code and hence not a liability.

So really what I’m saying is that if you want to reduce risk associated with code then invest some time in learning formal methods and how to utilize formal methods instead of code to specify and validate systems.