Yes, generative/property/fuzz tests are awesome. I use them in Elm whenever I can. I’ve also written a library that uses them for the “Msg / Model / update` triplets of The Elm Architecture: http://package.elm-lang.org/packages/Janiczek/elm-architecture-test/latest

Used them eg. on my implementation of a text editor, and they found so many edge cases, you wouldn’t believe. https://github.com/Janiczek/elm-editor/blob/master/tests/CodeEditor.elm

They effectively allow you to pin down the behaviour of a function to a certain degree; giving you counter-examples like “You said the cursor wouldn’t go to a negative column, but if you do [Insert ‘a’, Left, Backspace], the cursor is -1!”, with the Msg list minimized and all that (it probably found the bug with ~100 Msgs in the list, and threw out those that don’t matter)

EDIT: What would I love in generative testing would be some scheme that allows for it to be a monad (to have a andThen : (a -> Fuzzer b) -> Fuzzer a -> Fuzzer b function) and still be able to shrink well.

Advance warning: Uh, this got long. Sorry. I’ll probably turn it into a blog post.

I would say I’m pretty indifferent to coding per se, but that what I love is things that combine intellectual challenges with practical problem solving, and coding is often a good source of that.

Thing is, coding at work usually isn’t. Most tech jobs are kinda boring, because most of the problems people are payed to solve are variations on a theme and while you can make them intellectually engaging this often this results in a worse result than if you’d just ploughed through and done the work (there’s a reason we have a notion of “overly clever solution”).

As far as whether programmers who enjoy coding are intrinsically better at it… no, of course they’re not. They are however often extrinsically better at it: People who enjoy a thing do more of it, and get more practice at it as a result, and so get better at it.

But it’s important to bear both of the above points in mind: People get better at the thing they practice, but the sort of coding that people practice on their own time is not the sort of coding that you typically need for your job. Some of the skills are absolutely transferable, but some of them are not, and often what you end up with is developers who are over-optimised in some skills (often far beyond what they need for what they’re actually doing) and weak in other equally vital ones. Often those are “soft” skills, but they don’t have to be - I think ops, testing, debugging, architecture, are all pretty common examples of under-practiced skills for developers.

Answering question from down thread…

That’s awesome that your hobby and profession aligns 🙂

I think this an overrated goal personally. I have a lot of hobbies that I have briefly considered turning into professions and immediately gone “noooope” over. The nice thing about having your hobby and your profession separate is that emotional baggage from one carries over to the other less - if you turn your hobby into a job, it’s very likely that the things that inevitably make you mad about your job will also ruin the hobby for you.

It kinda works out OK in programming because the hobby version is so different from the professional version, but the end result of that is often feeling like the professional version is a bad imitation of the hobby version. I’ve seen a lot of burnout happening that way (I think. I may be projecting RE reasons).

Do you have any advice for people who currently don’t enjoy doing what they do for a profession and how to get there?

(I do not want to personally offer career advice because my career is in a very weird place, so this is a bit generic)

My advice to everyone in all circumstances is to over-analyse your problem to death in writing (I’m currently using a hand-written journal for this). Even if you don’t come up with a solution you’ll probably have a better understanding of the shape of the problem and feel better for it.

Generally I ask things like:

1. What do I actually want as opposed to just what I think I should want?
2. What aspects of this problem that I might reasonably be expected to care about do I actually not care about much at all?
3. What would my ideal scenario look like?
4. What smallish changes can I do that would improve things right now?

Specific things that might be worth asking:

1. Do you actually care about liking your job or do you just want to not dislike it?
2. What are the things you actually want to get out of a job?
3. If your concern is being bad at your job, what are some aspects of how you do it that you could improve without practicing it in your spare time?
4. What are some things that you do enjoy doing, and could you do more of those? Maybe focus separately on things that you could do in and out of work.

I think @drmaciver uses prop testing in a much different way than I do. I don’t do a lot of prop testing so it’s quite likely that I am the odd ball here but statements like:

Often you want to generate something much more specific than any value of a given type.

And

Especially if we’re only using these in one test, we’re not actually interested in these types at all, and it just adds a whole bunch of syntactic noise when you could just pass the data generators directly.

What made me find these odd is that I am generally generating the types my API expects, not special types just for testing. If I need a special type just for testing it tells me that my API hasn’t defined its types strictly enough (Correct by Construction). This post seems much more like maybe the author uses these testing types more like contracts?

I’m interested in this part:

this project (OPIC including the hash table implementation) is approved by google Invention Assignment Review Committee as my personal project. The work is done only in my spare time with my own machine and does not use and/or reference any of the google internal resources.

Does Google not allow you to spend your spare time making something unless it’s approved by a committee?

This post couldn’t have been timed better. I’m exploring formal methods for proving certain invariant about a system I’m designing, and I stumbled accoss the lamport tla programs.

I spent half a day trying to get TLA running and failed. As far as I can tell tla+ was an ocaml program that relied on a bunch of random SAT solvers from various universities (which were very difficult to run). It seems like maybe it’s been rewritten in java now?

If someone who uses TLA+ would make a Dockerfile that would be much appreciated.

The python version looks quite interesting, is someone familiar with the problem space able to chime in on the features of Hypothesis vs TLA+?

Was going to write a comment asking @DRMacIver if he intended to combine coverage-driven analysis with the property-based testing of Hypothesis and then scrolled down to see the “glass box testing” section.

I think that unguided fuzzing will inherently require more time than property-based testing. Have you considered having a semi-guided mode? If you can find a roughly robust way to partition inputs by the program flow that they cause AND infer additional input constraints from those partitions (both of these aren’t easy, I understand) a semi-guided tool sounds great– “hmm, spend the next 5 minutes just doing inputs that produce traces at least this long”.

Is there prior art in partitioning execution traces by similarity or inferring properties from input space partitions?

Depends on your goals. If you want high-impact, it looks like it could have it. Reading it made me think it could benefit from IDE assistance where certain analysis happen to the code every time it’s introduced or changes. Then those guided test cases that took hours might take seconds to minutes… at least a subset of them. Might also be a fun project to try to formally verify in K framework or Coq. Need more verified tooling.

I’d also like to see more testing and analysis tools applied to CakeML to show it maintains its invariants in every path of execution. That would increase odds it could be used in DO-178B certified tools without the source-to-object code inspections like required for SCADE done in Ocaml. Just a pile of equivalent tests instead on each transform that can be batched. It would also be good for reference implementations of code used to detect compiler errors in main compilers.

I’m torn. I think what you and others are saying makes a lot of sense, but I can’t help feeling that a little more bondage and discipline (which comes with multiple repos and dependence management) help people not be sloppy about APIs between components. You say “don’t do that” about making everything a nebulous megaproject, but I think the risk for that is huge.

You can have dependency management and partial builds with binary deliverables even between folders in a monolith repo, but I think the megarepo encourages megabuildsystem and megaproject tendencies. Maybe hardline managers and a system like Bazel can make it work better.

I think almost everyone will benefit from organising their code this way.

No. Sweeping generalizations like this don’t help anyone. It all depends on your development process, and which VCS you choose to support this development process, and what this VCS was designed to handle.

For example, at the ASF we have a big monorepo (svn.apache.org) which works because it’s an SVN repository so each project only needs one top-level directory, beneath which the project models its development process using SVN-style branches and tags (i.e. copies).

And there are ASF projects which use git, and these live in distinct repositories (git.apache.org, which also mirrors projects from SVN). Because of how branches are modeled in git that’s the only reasonable option.

Everything on this list seems reasonable, but I see teams doing many of these things and still having problems. You can say “on they aren’t doing it right”, which is probably true. For myself, I think the biggest tool I have for writing high quality software that I don’t see other people use is that I have like 5 or 6 things, and I just use those in different combinations. I really really really hate adding a new technique to my repertoire. I separate stuff with processes a lot. I use state machines + simple interpreters like crazy. I care a lot about pinning dependencies. I also spend a lot of time describing the semantics of my APIs (and I’m in a position where I can demand that of my team). And I do a few other things. I don’t really care that much about testing, I do it generally but it’s not a big priority for me. I don’t know what my secret sauce is but I consistently see my teams ship things with fewer bugs and less severe bugs. Not all, but many of the bugs we hit take about 5 minutes to diagnose and maybe an hour or two more to get deployed through to production (assuming it’s high enough priority to execute on now).

Oh, that’s what’s going on with those things. I noticed it when loading some pages but wasn’t sure why it was happening or how I could make it go away.

Interesting article. Yeah, some advocates are going off the rails with their praise of static typing. I find it helps to look to prior successes and tradeoffs to try to understand how to best do engineering. The people who invented the engineering of software were independently Bob Barton of Burroughs B5000, Dijkstra w/ THE OS, and Margaret Hamilton in Apollo & 001 Tool Suite. Each had pieces of the problem with some culminating with later work into the TCSEC and Orange Book’s B3/A1 classes of high-assurance security. Big companies like IBM came up with formal inspections and Cleanroom’s cost-effective approach. Cleanroom consistently resulted in low-defect software in commercial applications even on first use. Became my baseline. Meanwhile, safety-critical embedded community continued using all kinds of variations of them with lessons learned. CompSci continued working on formal methods, type systems, testing strategies, and runtimes trying to figure stuff out with numerous successes. Private companies differentiating on high-quality systems used a combination of formal methods (esp Altran/Praxis or Galois), safer languages (all), and DSL’s (iMatix and Galois). So, we have plenty to draw on in the lessons learned reports.

Let’s start with what high-assurance projects showed would help by many real-world demonstrators:

1. Ambiguous, English requirements created problems. The requirements, functional or otherwise, must be specified in a precise, unambiguous form. They used formal specifications for that combined with English descriptions so people knew what they were looking at.

2. Design should be modular with easy to follow control flow plus careful attention to correctness of interfaces and any assumptions modules have about interfacing. All of them did this. B5000 did it with argument and type checks at both compiler level and CPU level during runtime. Hamilton noted interface errors were 80+% of problems on Apollo development. Her USL and 001 Tool Suite used formal specs of functions and interfacing to generate code free of interface errors so long as specs were correct. Would knock out 80+% of flaws potentially. This showed up in larger, commercial use with Eiffel Method/Language and SPARK Ada later combined it with static analysis.

3. Highest-assurance had formal proof that the design matched the requirements or security policy. Medium-assurance did this informally where each part mapped to other parts with clear, convincing arguments they corresponded. Almost every project that applied formal proofs, whether it helped a lot or barely, noted that simply redoing specs and code simple enough for provers to use itself caught errors without doing the proving process. Lasting lesson there.

4. Since Bob Barton, it was known that there would be less problems if the language, CPU, and OS made common activities safe to perform by default. His B5000 did that with it being immune to most forms of code injection today. MULTICS’s reverse stack and non-null-terminated strings with PL/0 made it immune to some problems. Wirth’s languages checked bounds, argument types, etc. Hansen had one free of race-conditions. Eiffel’s SCOOP took that further with Rust doing it again. Various ML’s, Haskell, and IDRIS took it even further in various ways. The focus was designing something so that average use could make sure entire problems would never happen. More typing led to more time so tools often did prototyping in unsafe mode with quick tests to make sure it worked initially. Full type-checks and thorough tests could run in background, on clusters, or overnight to get more thorough results.

5. Review of all that. Burroughs did it implicitly with Barton seeming to invent the concept in an off-hand comment or two. Apollo team did it religiously. Commercial sector got the message when Fagan introduced Software Inspection Process at IBM that dedicated percentage of time to finding bugs based on checklists of kind that keep cropping up. Worked wonders. Later, OpenVMS team alternated one week building, one week reviewing/fixing based on priority, and all tests ran during weekend. One of most reliable OS’s ever built. Microsoft did a 180 in security when high-assurance engineer, Steve Lipner, gave them a watered-down, ship-quick version of this list under SDL. The reviews & QA tests knocked 0-days down to lower than most FOSS that I can tell. So, review, review, review!

6. Testing. Came in many forms with many benefits. Acceptance tests were about customers as much as proving the tech works. Unit tests checked every module and improved quality but test-building and running vs other QA trade-off is still debated. Cleanroom decided bugs users see are worse than those they don’t. So they did usage-driven testing based on models of all the ways the users might use the interfaces to the product. Combining it with formal specs or Design-by-Contract allowed test generation based on specs of actual behavior. You don’t manage those tests at all but still get the benefit. Fuzz testing caught errors manual tests often missed so they’re good idea. So far, automated testing from formal specs and/or types combined with manual tests for what those can’t easily express seems like strongest combo. Run fuzz tests, QuickCheck, etc over night with prioritizing fixes based on importance or severity.

7. It was known since early days that compilers were complicated beasts that could trash your software’s correctness. Wirth went with simplified ones that did quick iterations with OK performance. Ada compilers tried to do everything under the sun for high safety & performance with high build times and costs resulting. LISP’s had ideal method of REPL for instant results, incremental checks/compilation of individual functions for quick iteration of performing code, and full compilation with static types for best results which could be batched. It also showed the complex functionality could be macro’d onto simpler language that’s easy to compile. 4GL’s did that for BASIC as well with tremendous productivity boosts. Certifying compilers showed up that converted HLL to assembly with evidence they’d always be correct. My recent proposal is to add macros, Design-by-Contract, Rust’s temporal safety, and a few other things to a language like Modula-3 that’s already ultra-fast to compile and turn into production code. Give it LISP-like combo of fast interpreter, incremental compilation, and fully-optimizing compilation caching & integrating the results as development happens. Fully test it in overnight runs that do spec-based test generation, acceptance/regression testing, fuzz testing, full analysis, and certifying compilation with tests against the fast versions for correctness checking. Come into work next day to find either what problems to fix or ultra-optimized, correct code ready to integrate into whatever you’re about to build.

8. Information-flow analysis. The early version was to detect covert channels that are the bane of high-assurance security’s existence. The only thing we couldn’t reliably, consistently eliminate. The initial method modeled the system, software and hardware, as interacting parts to find what components they shared. If they can read/write it, it’s a storage channel. If they can modify & time it, it’s a timing channel. Later on, such stuff turned into information flow control that labeled various variables in accordance with your correctness or security model to then track via type systems or other analysis how information flows in your system. Violations of your expectations vs code’s reality are problems to be corrected. Design-by-contract can do some of this but maybe not all. Open problem. Already practical enough that tools like SIF can do web applications that automatically find or prevent leaks then generate client and server-side code with specific algorithms in right spot for acceleration or security. Such methods could benefit software in general.

9. Recovery-oriented computing and fault-tolerance. Hamilton’s people proved this out in Apollo using asynchronous communicating processes, hardware redundancy, code to handle failures of processes/components, and a human-in-the-loop method to let people do what they do better. Tandem NonStop used similar features to design a massively-parallel, five-9’s platform for mission-critical assets. OpenVMS got close to that with decade plus uptimes by just focusing on code review, error handling in kernel, versioned files, standardized locking/batching/whatever to do hard stuff for apps, and bulletproof clustering. Byzantine fault-tolerance and all kinds of exotic stuff went from there but recent stuff like Copilot monitoring scheme and micro-restarts paper show it can be really simple to react to lots of stuff properly. :) The strategy for the rest was fail fast, safe, and as obviously as possible with error messages pointing in the right direction if possible.

10. Build-systems. I’ll briefly mention this as it doesn’t cause most problems. Should protect integrity of software keeping track of all changes to know where problems came from. If security-critical project, it should run on strong TCB with access controls per project or maybe even file to reduce malicious input. Automate any tedious things while letting people decide on the rest as “managing” software in build systems has so many angles I’m still learning basic things in new contexts. Immutable store with per commit integrity, access controls for confidentiality/malice, and replication for availability are the basics.

11. Static and dynamic analysis. These came later in research for lighter, formal methods. The best static analysis tools… probably Astree Analyzer for C and SPARK Ada’s built-in one… can prove software free of common errors if you can write it in the constrained way necessary. Many model-checkers and SMT solvers were formed that could automatically prove properties about specific software. This ties into spec or property based testing where the solvers can handle what they’re good at with tests handling others. Such thinking led to dynamic analysis that combined specs and/or static analysis techniques with actually running the program. The benefits of that, from safety to extra optimization, led to my idea of staged compilation process that does quick checks in interpreter early on, slightly-slower ones on sub-optimized EXE in background, and full battery with full optimization last. In any case, developers should be using whatever automated analysis or testing tools they can for their language/app.

12. Functional/OOP programming. Each group claimed their methods of development prevented flaws common in structured, imperative programming esp as things got big. More flexibility and safety they say. Subsets of these principles were shown to do exactly that. Smalltalk was the early success and is reigning king of OOP model in productivity with Eiffel maybe champ in productivity, speed, and correctness tradeoff. Functional finally matured enough with Ocaml and Haskell ecosystems to do amazing things. Using functional in as pure a style as possible to combine with automated analysis and testing methods seems like great promise in work involved vs correctness obtained. OOP I can’t speak on as I avoided it and have less data on how experts in say Smalltalk or Eiffel might do that.

13. CPU or ASIC level. I left this last as it’s often the least-likely to be available. B5000 architecture made it immune-by-default to stack overflows, out-of-bounds accesses, mis-matched arguments in function calls, and malicious data becoming new code due to app flaws. Wirth and Jurg’s Lilith computer designed the CPU, assembly, compiler, and HLL to work together ideally so no abstraction gaps posed a problem. The Secure Ada Target and Army Secure OS (ASOS) projects made tagged hardware plus high-security runtimes that enforced at runtime many protections which Ada may or may not catch at compile time. They failed but numerous Java CPU’s doing something similar succeeded in marketplace. Recently, at high-end, Cambridge’s CHERI makes C apps capability secure with any violation of POLA being caught by CPU. More important here, the SAFE processor at crash-safe.org has a policy-neutral, metadata engine built-in that can enforce at runtime something like 50 different policies in any combination on running software. A combination of above spec and testing strategies with such a CPU in build-system could have tools produce the EXE’s and policies to check correctness with CPU doing that natively with no penalty. Most important policies, like memory safety or leak prevention, can be used in production as well to be sure any unknown vectors won’t screw with you. CPU’s themselves or at least critical parts can be made with correct-by-construction techniques that often ensure first-pass with asynchronous knocking out timing issues, triplicated checking w/ voter to knock out general issues, and SOI/rad-hard processes knocking out many EM or radiation issues.

So, there’s what over a decade studying high-assurance systems taught me had big payoff in various projects. Methods like Cleanroom, formal specification esp of interface expectations, spec-based testing, safe languages, static analysis, and easy iteration w/ full-on testing done later have collectively always paid off. Combinations of these were done on various projects by small teams with limited expertise in them and still got better success than usual at correctness. The companies like Altran or Galois that consistently apply some of this rarely had failures in production with most defects being non-critical. Such empirical evidence of specific methods consistently getting good results in terms of low defects argues strongly to start with what they do in coming up with next method with better time/work/defect tradeoffs.

It’s about as quick a summary as I can put in. I’ll be busy today chilling with family but will chime in to attempt to answer more detailed questions as time permits.

[Comment removed by author]

This came up again in the context of the recent Dyn DDoS and comes up regularly in discussion of the Internet of Things and its general total lack of software or security.

Link? I’m wondering why people think this. Do you mean people are arguing it would have made taking over the IoT devices impossible in the first place, or that a static type system would somehow make handling a DDoS possible? In any case, I think any reasonable person would see through these statements pretty quickly. You can find someone who has said just about anything.

As static typing becomes more elaborate the scope of the bugs it can prevent becomes wider, but it comes with an additional cost: Build times.

Ocaml has pretty reasonable build times. IMO, I would say Ocaml build times are close to Go given how much moe expressive the type system is than Go’s.

My general experience of the correctness software written in fancy statically typed languages is not overwhelmingly positive compared to that of software written in dynamic languages. If anything it trends slightly negative. This suggests that for the scale of many projects the costs and benefits are close enough that this actually matters.

Having written and inherited code in a dynamically typed language, I can say the big win, in my experience, is refactoring. IME, a lot of people (on both sides) talk about producing code the first time. IME, that is pretty easy no matter what language one is it. Coming back to code 6 months or 6 years later is a much different story.

Does anyone know if a dictionary implemented in a low-level language like Rust/C/C++/D/Go, and using the same compact/ordered structure, would have the same benefits?

404?

I was disappointed to see the 2011 project is now dead after reading the authors' descriptions in the reddit ama.

It isn’t entirely clear to me if the ‘generic programming’ and ‘type propagation’ of Clay2011 is spiritually different from, say, the type inference system in Haskell. Is one more expressive? Is one more concise? Any insight? Different implementations with an equivalent result?

If the two are different, are there other languages with an approach like Clay2011?

I tend not to learn new languages much these days unless I’ve got a good excuse to. I miss doing so (I used to do it quite regularly) but not quite enough to put in the effort.

That being said, I’m more or less actively looking for an excuse to learn Rust and Elm.

Elm, mostly to see what they did right and learn a bit more about their good type error messages. Rust simply because I’ve got a general interest in being able to write efficient low-level code in a safer language than C.

I’ve also got a long-running unfulfilled desire to write something non-trivial in a forth, but I’m unlikely to ever get around to it.

Creator of Thyme here. We made this to track application usage and find possible interventions to boost our productivity at Sourcegraph. Happy to answer any questions and hope you find it useful!

“Literally ten billion people whose surnames start with “O’” live in Ireland”

There are fewer than 5 million people living in Ireland. Makes me worry about how well researched this is…