This text is a write-up of a chat I gave at MinneBar 2022. As an alternative of studying this, you might additionally watch the recording or view the slides.
The title of this speak is “sustaining software program correctness.” However what precisely do I imply by “correctness”? Let me set the scene with an instance.
Years in the past, when Trello Android adopted RxJava, we additionally adopted a reminiscence leak downside. Earlier than RxJava, we would have, say, a button and a click on listener; when that button would go away so would its click on listener. However with RxJava, we now have a button click on stream and a subscription, and that subscription might leak reminiscence.
We might keep away from the leak by unsubscribing from every subscription, however manually managing all these subscriptions was a ache, so I wrote RxLifecycle to deal with that for me. I’ve since disavowed RxLifecycle as a consequence of its quite a few shortcomings, certainly one of which was that you just needed to keep in mind to use it appropriately to each subscription:
observable
.subscribeOn(Schedulers.io())
.observeOn(AndroidSchedulers.mainThread())
.bindToLifecycle() // Overlook this and leak reminiscence!
.subscribe()
Should you put bindToLifecycle() earlier than subscribeOn() and observeOn() it would fail. Furthermore, when you outright neglect so as to add bindToLifecycle() it doesn’t work, both!
There have been tons of (maybe 1000’s) of subscriptions in our codebase. Did everybody keep in mind so as to add that line of code each time, and in the correct place? No, in fact not! Folks forgot continually, and whereas code overview caught it generally, it didn’t all the time, resulting in reminiscence leaks.
It’s straightforward accountable individuals for messing this up, however genuinely the design of RxLifecycle itself was at fault. Relying on individuals to “simply do it proper” will ultimately fail.
Let’s generalize this story.
Suppose you’ve simply created a brand new structure, library, or course of. Over time you discover some points that stem from individuals incorrectly utilizing your creation. If individuals would simply use all the things appropriately there wouldn’t be any issues, however to your horror everybody continues to make errors and trigger your software program to fail.
That is what I name the correctness dilemma: it’s straightforward to create however onerous to keep up. Getting individuals to align on a code model, correctly contribute to an OSS challenge, or persistently releasing good builds – all of those processes are straightforward to provide you with, however errors ultimately creep in when individuals do not use them appropriately.
The core mistake is designing with out preserving human fallibility in thoughts. Anticipating individuals to be excellent will not be a tenable answer.
Should you pay no consideration to this facet of software program design (like I did for a lot of my profession), you might be setting your self up for long run failure. Nonetheless, as soon as I began specializing in this downside, I found many good (and customarily straightforward) options. All you must do is strive, just a bit bit, and generally you’ll arrange a product that lasts endlessly.
How will we design for correctness?
Human error is an issue in any trade, however I feel that within the software program trade now we have a singular superpower that lets us sidestep this downside: we are able to readily flip human processes into software program processes. We are able to take unreliable chores completed by individuals and switch them into reliable code, and sooner than anybody else as a result of we’ve received all of the software program builders.
What will we do with this energy to keep away from human fallibility? We constrain. The important thing concept is that the much less freedom you give, the extra seemingly you’ll keep correctness. When you’ve got the liberty to do something, then you will have the liberty to make each mistake. Should you’re constrained to solely do the right factor, then you haven’t any alternative however to do the correct factor!
There are all kinds of methods we are able to make use of for correctness, laying on a spectrum between flexibility and rigidity:
Let’s take a look at every technique in flip.
Institutional Data
In any other case referred to as “stuff in your head.”
That is much less of a technique and extra of a place to begin. Every part has to start out someplace, and often that’s within the collective consciousness of you and your teammates.
Ideas are nice! Considering comes naturally to most individuals and have many benefits:
Ideas are extraordinarily low cost; the going price has been unaffected by inflation, so it’s nonetheless only a penny for a thought. Brainstorming is predicated on how low cost ideas are; “The place ought to this button go?” you may ask, and also you’ll have fifteen completely different doable areas within the span of some minutes.
Ideas are extraordinarily versatile. You may pitch a brand new course of to your workforce to check out for every week, see the way it goes, then abandon it if it fails. “Let’s strive posting a fast standing message every morning”, you may recommend, and when everybody inevitably hates it then you’ll be able to rapidly give it up every week later.
Institutional information can clarify and summarize code. Would you quite learn by way of each line of code, or have somebody focus on its construction and objectives? Trello Android might function offline, which suggests writing adjustments to the shopper’s database then syncing these adjustments with the server – I’ve simply now described tens of 1000’s of traces of code in a single sentence.
Institutional information can clarify the “why” of issues. By itself, code can solely describe the way it will get issues completed, however not why. Any hack you write to resolve an answer in a roundabout approach ought to embrace a touch upon why the hack was needed, lest future generations marvel why you wrote such wacky code. There may need been a sequence of experiments that decided that is one of the best answer, although that’s not apparent.
Institutional information can describe human issues. There’s solely a lot you are able to do with code. Your trip coverage can’t be absolutely encoded as a result of workers get to decide on once they take trip, not computer systems!
There’s rather a lot to love about pondering, however relating to correctness, institutional information is the worst. Low-cost and versatile doesn’t make for a robust correctness basis:
Institutional information will be misremembered, forgotten, or go away the corporate. I are likely to neglect most issues I did after just some months. Coworkers with professional information can give up anytime they need.
Institutional information is laborious to share. Each new teammate must be taught each little bit of institutional information by another person throughout onboarding. Everytime you provide you with a brand new concept, you must talk it to each present teammate, too. Scale is inconceivable.
Institutional information will be tough to speak. The sport “phone” is based on simply how onerous it’s to cross alongside easy messages. Now think about enjoying phone with some tough technical idea.
Institutional information doesn’t remind individuals to do one thing. Do you want somebody to press a button each week to deploy the newest construct to manufacturing? What if the one that does it… simply forgets? What in the event that they’re on trip and nobody else remembers that somebody has to push the button?
Like I mentioned, institutional information is nice and vital – it’s the start line, and an affordable, versatile technique to experiment. However any institutional information that’s frequently used must be codified in a roundabout way. Which leads us to…
Documentation
I’m certain that somebody was screaming at their monitor whereas studying the final part being like “Documentation! Duh! That’s the reply!”
Documentation is institutional information that’s written down. That makes it tougher to neglect and simpler to transmit.
Documentation has lots of some great benefits of institutional information – although not fairly as low cost or versatile, it’s also in a position to summarize code and describe human issues. It’s also a lot simpler to broadcast documentation; you don’t have to sit down down and have a dialog with each one that must be taught.
There’s additionally a pair bonuses to visible information. Documentation can use photos or video. A very good stream chart or structure abstract is value 1000 phrases – I might spend a bunch of time speaking about how Trello Android’s offline structure works, or you might take a look at the stream charts on this article. I personally discover that video can click on with me simpler than simply speaking; I believe this is the reason the trendy video essay exists (over written articles).
Documentation also can create checklists for complicated processes. We automated a lot of it, however the strategy of releasing a brand new model of Trello Android nonetheless concerned many unavoidably guide steps (e.g. writing launch notes or checking crash reviews for brand new points). A very good guidelines might help reduce down on human error.
Regardless of documentation’s advantages, there’s a motive this speak was initially titled “documentation will not be sufficient.”
Right here’s a typical state of affairs we’d run into at work: we’d provide you with a brand new workforce course of or structure, and folks would say “that is nice, however we’ve received to put in writing it down so individuals received’t make errors sooner or later.” We’d take the time to put in writing some nice documentation… solely to find that errors saved occurring. What provides?
Nicely, it seems there are numerous issues that may come up with documentation:
Documentation will be badly written or misunderstood. A doc can clarify an idea poorly or inaccurately, or the reader may merely misapprehend its that means. There’s additionally no technique to double-check that the data was transmitted successfully; speaking to a different individual permits for clarifying questions, however studying documentation is a one-way transmission.
Documentation will be poorly maintained and go old-fashioned. Maybe your doc was correct when first written, however years later, it’s a web page of lies. Maintaining documentation up-to-date is pricey and laborious, when you even keep in mind to return and replace it.
Documentation will be onerous to search out or just ignored. Even when the doc is ideal, you want to have the ability to discover it! Possibly it’s someplace on Confluence however who is aware of the place. Even worse, individuals won’t even know they should learn some documentation! “I’m sorry I took down the server, I didn’t know that you just could not reduce releases at 11PM as a result of I by no means noticed the discharge course of doc.”
Documentation can not function a reminder. Very similar to with institutional information, there’s no approach for documentation to let you know to do one thing at a sure time. Checklists get you barely nearer, however there’s no assure that an individual will keep in mind to test the guidelines! Trello Android had a launch guidelines, however oftentimes the discharge would roll round and we’d uncover that somebody forgot to test it, and now we are able to’t translate the discharge notes in time.
Documentation is important. Some ideas can solely be documented, not codified (like high-level structure explanations). And in the end, software program growth is about working with people. People are messy, and solely written language can deal with that messiness. Nonetheless, it’s just one step above institutional information when it comes to correctness.
Affordances
Let’s take a detour into the dictionary.
An affordance is “the standard or property of an object that defines its doable makes use of or makes clear the way it can or must be used.”
I used to be first launched to this idea by “The Design of On a regular basis Issues” by Don Norman, which fits into element finding out seemingly banal design selections which have big impacts on utilization.
A traditional instance of fine and dangerous affordances are doorways. Good doorways have an apparent technique to open them. Crash bar doorways are instance of that; there’s no universe wherein you’d suppose to pull these doorways open.
The other is what is called a Norman door (named after the aforementioned Don Norman). Norman doorways that invite you to do the incorrect factor, for instance by having a deal with that begs to be pulled however, actually, must be pushed.
Right here’s why I discover all this attention-grabbing: We are able to use affordances in software program to invisibly information individuals in direction of correctness in software program. Should you make “doing the correct factor” pure, individuals will simply do it with out even realizing they’re being guided.
Right here’s an instance of an affordant API: in Android, there’s nobody stopping you from opening a connection to a database everytime you need. A dozen builders every doing their very own customized DB transactions can be a nightmare, so as a substitute, on Trello Android we added a “modification” API that will replace the DB on request. The modification API was straightforward – you’ll simply say “create a card” and it’d go do it. That’s rather a lot easier than opening your individual connection, establishing a SQL question, and committing it – thus we by no means needed to fear about anybody doing it manually. Why would you, when utilizing the modification API was there?
What about enhancing non-software conditions? One instance that involves thoughts is submitting bug reviews. The tougher it’s to file a bug report, the much less seemingly you might be to get one (which, hey, possibly that’s a characteristic for you, however not for me). The teams that put the onus on the filer to determine precisely the place and how one can file a bug tended to not hear vital suggestions, whereas the groups that mentioned “we settle for all bugs, we’ll filter out what’s not vital” received a number of suggestions on a regular basis.
If, for some motive, you’ll be able to’t make the “proper” approach of doing issues any extra affordant, you’ll be able to as a substitute do the other and make the incorrect approach un-affordant (aka onerous and obtuse). Is there an escape hatch API that most individuals shouldn’t use? Cover it in order that solely those that want it might probably even discover it. Getting too many developer job functions? Add a easy algorithm filter to the beginning of your interview pipeline.
I consider this idea like how governments can form financial coverage by way of subsidies and taxes: make what you need individuals to do low cost; make what you do not need individuals to do costly.
Although not precisely an affordance, I additionally contemplate peer strain a associated technique to invisibly nudge individuals in the correct path. I don’t suppose I’m alone after I say that the very first thing I do in a codebase is go searching and attempt to copy the native model and logic. If somebody asks me so as to add a button that makes a community request, I’m going to search out one other button that does it first, copy and paste, then edit. If there are 50 alternative ways to put in writing that code, nicely, I hope I discovered the correct one to repeat; if there’s only one, then I’m going to repeat the write methodology. Consistency creates a flywheel for itself.
I like affordances as a result of they information individuals with out them being consciously conscious of it. Lots of the correctness methods I’ll focus on later are extra heavy handed and obtrusive; affordances are mild and invisible.
Their essential draw back is that affordances and peer strain can solely information, not limit. Typically these methods are helpful whenever you can’t cease somebody from doing the incorrect factor as a result of the coding language/framework is just too permissive, you might want to present exceptions for uncommon instances, otherwise you’re coping with human processes (and something can go off the rails there).
Software program Checks
Software program checks are when code can test itself for correctness.
Should you’re something like me, you’ve simply began skimming this part since you suppose I’m gonna be speaking about unit assessments. Nicely… okay, sure, I’m, however software program checks are a lot extra than unit assessments. Unit assessments are only one type of a software program test, however there are numerous others, such because the compiler checking grammar.
What pursuits me right here is the timing of every software program test. These checks can occur as early as whenever you’re writing code to as late whenever you’re working the app.
The sooner you may get suggestions, the higher. Quick suggestions creates a decent loop – you neglect a semicolon, the IDE warns you, you repair it earlier than even compiling. In contrast, gradual suggestions is painful – you’ve simply launched the newest model of your app and oops, it’s crashing for 25% of customers, it’ll be a minimum of a day earlier than you’ll be able to roll out a repair, and also you’ll must undo some structure selections alongside the best way.
Let’s take a look at the timing of software program checks, from slowest to quickest:
The slowest software program test is a runtime test, whereby you test for correctness as this system is working. Accumulating analytics/crash knowledge out of your software program because it runs is nice for locating issues. For instance, in OkHttp, every Name can solely be used as soon as; attempt to reuse it and also you get an exception. This test is inconceivable to make earlier than working the software program.
There are large drawbacks to runtime checks: your customers find yourself being your testers (which received’t make them blissful) and there’s an extended turnaround from discovering an issue to deploying a repair (which additionally received’t make your customers blissful). It’s additionally an inconsistent technique to take a look at your code – there could be a bug on a code path that’s solely accessed as soon as a month, making the suggestions loop even slower. Runtime checks are value embracing as a final resort, however counting on them alone is poor follow.
The following slowest software program test is a guide take a look at, the place you manually execute code that runs a test. These will be unit assessments, integration assessments, regression assessments, and so on. There will be quite a lot of worth in writing these assessments, however you must foster a tradition for testing (because it takes time & effort to put in writing and confirm the correctness of assessments). I feel it’s value investing in these kinds of assessments; in the long term, good assessments not solely prevent effort but in addition pressure you to architect your code in (what I contemplate) a typically superior approach.
One step up from guide assessments are automated assessments, that are simply guide assessments that run robotically. The core downside with guide assessments is that it requires somebody to recollect to run them. Why not make a pc keep in mind to do it as a substitute? Bonus factors if failed checks forestall one thing dangerous from occurring (e.g. blocking code merges that break the construct).
Subsequent up are compile time checks, whereby the compilation step checks for errors. Sometimes that is concerning the compiler implementing its personal guidelines, comparable to static sort security, however you’ll be able to combine a lot extra into this step. You may have checks for code model, linting, protection, and even run some automated assessments throughout compilation.
Lastly, the quickest suggestions is given at design time, the place your editor itself tells you that you just made a mistake when you are writing code. As an alternative of discovering out you mis-named a variable throughout compilation, the editor can immediately let you know that there’s a typo. Or whenever you’re writing an article, the spellchecker can discover errors earlier than you put up the article on-line. Very similar to compile time checks, whereas these are typically about grammatical errors, you’ll be able to generally insert your individual design time model/lint/and so on. checks.
Whereas quick suggestions is healthier, the sooner timings are likely to constrain what you’ll be able to take a look at. Design-time checks can solely particular bits of logic, whereas runtime checks can cowl mainly something your software program can do. In my expertise, whereas it’s simpler to implement runtime checks, it’s typically value placing in a bit of additional effort to make these checks go sooner (and be run extra persistently).
Constraints
Constraints make it in order that the one path is the right one, such that it’s inconceivable to do the incorrect factor. Let’s take a look at a couple of instances:
Enums vs. strings. Should you can constrain to just some choices (as a substitute of any string) it makes your life simpler. For instance, individuals are typically tempted to make use of stringly-typing when deciphering knowledge from server APIs (e.g. “card”, “board”, “checklist”). However strings will be something, together with knowledge that your software program will not be in a position to deal with. By utilizing an enum as a substitute (CARD, BOARD, LIST) you’ll be able to constrain the remainder of your utility to only the legitimate choices.
Stateless features vs. stateful lessons. Something with state runs the danger of ending up in a foul state, the place two variables are in stark disagreement with one another. Should you can execute the identical logic in a self-contained, stateless perform, there’s no threat that some long-lived variables can find yourself out of alignment with one another.
Pull requests vs. merging to essential. Should you let anybody merge code to essential, then you definitely’ll find yourself with failing assessments and damaged builds. By requiring individuals to undergo a pull request – thus permitting steady integration to run – you’ll be able to pressure higher habits in your codebase.
Not solely can constraints assure correctness, in addition they restrict the logical headspace you might want to wrap your thoughts round a subject. As an alternative of needing to contemplate each string, you’ll be able to contemplate a restricted variety of enums. In the identical vein, it additionally limits the variety of assessments you might want to cowl your logic.
Automation
While you automate, a pc does all the things for you. This is sort of a constraint however higher as a result of individuals don’t even must do something. You solely have to put in writing the automation as soon as, then the computer systems will take over doing all your busywork.
One efficient use of this technique is code technology. A traditional instance are Java POJOs, which don’t include an equals(), hashCode(), or toString() implementations. Within the outdated days, you used to must generate these by hand; these implementations would rapidly go stale as you modified the POJO’s fields. Now, now we have libraries like AutoValue (which generate implementations based mostly on annotations) or languages like Kotlin (which generate implementations as a language characteristic).
Steady integration is one other nice automation technique. Having hassle remembering to run all of your checks earlier than merging new code? Simply get CI to pressure you to do it by not permitting a merge till you cross all of the assessments. You may even have CI do automated deployments, such that you just barely must do something after merging code earlier than releasing it.
There are two essential drawbacks of automation. The primary is that it’s costly to put in writing and keep, so you must test that the payoff is value the fee. The second downside is that automation can do the incorrect factor again and again, so you must watch out to test that you just applied the automation appropriately within the first place.
Now that we’ve reviewed the methods, permit me to display how we use them in the true world.
Earlier than fixing any given downside, you must take a step again and determine which of those methods to use (if any) earlier than committing to an answer. You’ll most likely find yourself with a mixture of methods, not only one. For instance, it’s not often the case you can simply implement constraints or automation with out additionally documenting what you probably did.
There are a couple of meta-considerations to bear in mind as nicely:
First, whereas inflexible options (like constraints or automation) are higher for correctness, they’re worse for flexibility. They’re costly to alter after implementation and unforgiving of exceptions. Thus, you might want to stability correctness and adaptability for every state of affairs. On the whole, I development in direction of early flexibility, then transferring in direction of correctness as needed.
Second, you may implement correctness badly. You may have flakey software program checks, overbearing code contribution processes, tough automation upkeep, or no escape hatches for brand new options or exceptions. Correctness is an funding, and you might want to ensure you can afford to speculate and keep.
Final, you want buy-in out of your teammates. I are likely to make the error of pondering that as a result of I like an answer that everybody else may also prefer it, however that’s positively not all the time the case. Should you get settlement from others, correctness is less complicated to implement (particularly for workforce processes); individuals will go together with your plans, and even pitch in concepts to enhance it.
Disagreements, however, can result in toxicity, comparable to individuals ignoring or purposefully undermining your creation. At my first job they tried to implement a code model checker that prevented merges, however did not have a plan for how one can repair outdated recordsdata. There was no automated formatter (as a result of it was a customized markup language), so nobody ever wished to repair the large recordsdata; as a substitute everybody simply saved utilizing a workaround to keep away from the code model checker! Whoops!
Taking a while to collect proof then presenting the case to your coworkers could make a world of distinction.
Now, let’s take a look at a couple of examples and analyze them…
Code Fashion
For instance, how do you get everybody to persistently use areas over tabs?
❌ Institutional information – Unhealthy; this doesn’t forestall individuals from going off the code model in any respect.
❌ Documentation – Simply as dangerous as institutional information, however written down.
✅ Affordances – Semi-effective. You may configure your editor to all the time use areas as a substitute of tabs. Even higher, some IDEs allow you to test a code model definition into supply management so everyone seems to be on the identical web page style-wise. Nonetheless, when it comes to correctness, it guides however doesn’t limit.
✅ Software program checks – Utilizing lint or code model checkers to confirm code model is a superb use of CPU cycles. Folks can’t merge code that goes off model with this in place.
❌ Constraints – Probably not doable from what I can inform. I’m undecided the way you’d implement this – ship everybody keyboards with out the tab key?
❌ Automation – You would have some hook robotically rewrite tabs to areas, however actually this provides me the heebie jeebies a bit!
Ultimately, I like implementing your model with software program checks, however making it simpler to keep away from failures with affordances.
Code Contribution to an OSS Mission
How do individuals contribute code to an open supply codebase? Should you’ve received a selected course of (like code critiques, working assessments, deploying) how do you guarantee these occur when a random individual donates code?
❌ Institutional information – Inconceivable for strangers.
✅ Documentation – Should you write strong directions, you’ll be able to create a extra welcoming setting for anybody to contribute code. Nonetheless, documentation alone is not going to lead to a dependable course of, as a result of not everybody reads the guide.
✅ Affordances – There’s lots you are able to do right here, like templates for explaining your code contribution, or giving individuals clear buttons for various contributor actions (like signing the contributor license settlement).
✅ Software program checks – Having loads of software program checks in place makes it a lot simpler for individuals to contribute code that doesn’t break the prevailing challenge.
✅ Constraints – Repository hosts allow you to put all kinds of good constraints on code contribution: forestall merging on to essential, require code critiques, require contributor licenses, require CI to cross earlier than merging.
✅ Automation – CI is important as a result of it feeds data into the constraints you’ve arrange.
For this, I exploit a mixture of all completely different methods to attempt to get individuals to do the correct factor.
Cleansing Streams
Let’s revisit the story from the start of this text – how one can clear up sources in reactive streams of knowledge (particularly with RxJava).
❌ Institutional information – You may train individuals to wash up streams, however they’ll neglect.
❌ Documentation – No extra right than institutional information, simply simpler to unfold the data.
✅ Affordances – We used an RxJava device known as CompositeDisposable to wash up a bunch of streams without delay. AutoDispose provides simpler methods to wash up streams robotically as nicely. Nonetheless, all these options nonetheless require remembering to make use of them.
✅ Software program checks – We added RxLint to confirm that we truly deal with the returned stream subscription. Nonetheless, this doesn’t assure you keep away from a leak, simply that you just made an try to keep away from it. Should you’re utilizing AutoDispose, it gives a lint test to ensure it’s getting used.
✅ Constraints – I’m fairly excited by Kotlin coroutines’ scopes right here. As an alternative of placing the onus on the developer to recollect to wash up, a coroutine scope requires that you just outline the lifespan of the coroutine.
❌ Automation – Figuring out when a stream of knowledge is not wanted is one thing solely people can decide.
What technique you utilize right here relies on the library. One of the best answer IMO are constraints, the place the library itself forces you to keep away from leaks. Should you’re utilizing a library that may’t implement it (like RxJava), then affordances and software program checks are the best way to go.
Clearly, not each choice is out there to each downside – you’ll be able to’t automate your approach out of all software program growth! Nonetheless, at its core, the much less individuals must make selections, the higher for correctness. Free individuals’s minds up for what actually issues – growing software program, quite than wrestling with avoidable errors.