Show HN: FizzBee – Formal methods in Python (fizzbee.io)
Traditionally, formal methods are used only for highly mission critical systems to validate the software will work as expected before it's built. Recently, every major cloud vendor like AWS, Azure, Mongo DB, confluent, elastic and so on use formal methods to validate their design like the replication algorithm or various protocols doesn't have a design bug. I used TLA+ for billing and usage based metering applications.
However, the current formal methods solutions like TLA+, Alloy or P and so on are incredibly complex to learn and use, that even in these companies only a few actually use.
Now, instead of using an unfamiliar complicated language, I built formal methods model checker that just uses Python. That way, any software engineer can quickly get started and use.
I've also created an online playground so you can try it without having to install on your machine.
In addition to model checking like TLA+/PlusCal, Alloy, etc, FizzBee also has performance and probabilistic model checking that be few other formal methods tool does. (PRISM for example, but it's language is even more complicated to use)
Please let me know your feedback. Url: https://FizzBee.io Git: https://www.github.com/fizzbee-io/FizzBee
24 comments
[ 4.4 ms ] story [ 72.0 ms ] threadThe third goal is to make it suitable as a design documentation tool. I haven't started, but I would love to share the plan to get early feedback.
What’s it using on the backend for checking predicates?
The code generation is not in the plan, at least, not for the next couple of years until a few prerequisites happen that's not in my control.
The primary reasons for not taking code generation are, 1. It complicates the model spec. My intention is, the spec should be as close to pseudo code as possible that is you ever write pseudo code on your design doc, it should be in fizz. 2. The past experience trying to do complete code generation all failed except for some trivial use cases (like protocol buffers)
-- For the last question, for evaluating expressions, FizzBee uses starlark go library (subset of Python).
https://news.ycombinator.com/item?id=36504073 :
>>> Can there still be side channel attacks in formally verified systems? Can e.g. TLA+ [or FizzBee] help with that at all?
FizzBee is a design specification language whereas Nagini and deal solver are implementation verification language. FizzBee is supposed to be before you start coding, or actually before sending out the design document for review to iron out design bugs. The latter two are supposed to be used to verify the implementation.
Dafny is actually an implementation language designed as verification aware programming language. It does code generation into multiple languages and inserts various preconditions and other assertions into the code. Again, it is suitable for verifying the design.
Is there still a place for implementation language agnostic tools for formal methods?
icontract and pycontracts do runtime type checking and value constraints with DbC Design-by-Contract patterns that more clearly separate the preconditions and postconditions from the command, per Hoare logic. Both can read Python type annotations and apply them at runtime or not, both support runtime checking of invariants: values that shouldn't have changed when postconditions are evaluated after the function returns, but could have due to e.g. parallelism and concurrency and (network I/O) latency and pass by reference in distributed systems.
Anything that operates by checking the implementation can find implementation bugs. Even if they find design bugs it's too late.
As an analogy. You can document the code with comments. Comments explaining why you do what you do. This along with the code can be reviewed and be part of the revision control.
That said, do you still recommend writing separate design documents? If so why? This will also answer your question on why we will need a design spec that's separate from the implementation
(TODO: link to post about university-level FM programs)
Always wondered whether there's some advantage to translating to another language's AST for static and/or dynamic analysis or not. AFAIU Fuzzing is still necessary even given Formal Implementation?
Python is Turing complete, but does [TLA,] need to be? Is there an in-Python syntax that can be expanded in place by tooling for pretty diffs; How much overlap between existing runtime check DbC decorators and these modeling primitives and feature extraction transforms should there be? (In order to: minimize cognitive overload for human review; sufficiently describe the domains, ranges, complexity costs, inconstant timings, and the necessary and also the possible outcomes given concurrency,)
"FaCT: A DSL for Timing-Sensitive Computation" and side channels https://news.ycombinator.com/item?id=38527663
From my understanding of the history of programming, people will always resort to multi-paradigm solutions. For programming, they will use objects oriented concepts, sprinkle with imperative code within their classes, occasionally use functional programming when that is actually elegant.
Despite that, TLA+ ended up having PlusCal which is almost an imperative style (not actually imperative) language.
FizzBee's goal is to be a specification language that happens before the implementation starts.
Is fizzbee a frontend to TLA+?
https://jon-jacky.github.io/PyModel/www/
https://github.com/jon-jacky/PyModel/
The PyModel in that repository is written in Python 2 and has not been maintained for more than ten years.
This fork is in Python 3 and was last revised two years ago:
https://github.com/zlorb/PyModel
The best description of PyModel is the talk at SciPy 2011:
Slides: https://jon-jacky.github.io/PyModel/talks/pymodel-nwpd10.pdf
Paper: https://jon-jacky.github.io/PyModel/talks/pymodel-scipy2011....
PyModel's model checking is explained on p. 3 in the paper in the sections titled Analysis and Safety and Liveness.