MIgrate and integrate TLA+ files from the spec repo#8018
MIgrate and integrate TLA+ files from the spec repo#8018williambanfield merged 5 commits intomasterfrom
Conversation
Kukovec
left a comment
There was a problem hiding this comment.
Since I wrote these changes it'd be odd if I didn't approve.
| /\ BenignRoundsInMessages(msgsPrecommit) | ||
| /\ evidence = EmptyMsgSet | ||
| /\ evidence = {} | ||
| /\ action' = "Init" |
There was a problem hiding this comment.
TLC is not happy about this. In its usual cryptic way: "In evaluation, the identifier action is either undefined or not an operator." This fixes it:
| /\ action' = "Init" | |
| /\ action = "Init" |
But then we run into deadlock, with AdvanceRealTime.
There was a problem hiding this comment.
Huh, I'm surprised this one slipped by. Apparently this has been here since v1:
It definitely shouldn't be primed here.
There was a problem hiding this comment.
Apalache has some tolerance for Init, where it will treat primes and non-primes inside exactly Init as the same, but I suppose TLC would complain.
There was a problem hiding this comment.
Huh, I'm surprised this one slipped by. Apparently this has been here since v1:
Yes, it was in v1 as well, i remember fixing it there in my local experiments.
| INSTANCE TendermintPBT_002_draft WITH | ||
| Corr <- {"c1", "c2"}, | ||
| Faulty <- {"f3", "f4"}, | ||
| N <- 4, | ||
| T <- 1, | ||
| ValidValues <- { "v0", "v1" }, | ||
| InvalidValues <- {"v2"}, | ||
| MaxRound <- 5, | ||
| MaxTimestamp <- 10, | ||
| MinTimestamp <- 2, | ||
| Delay <- 2, | ||
| Precision <- 2 | ||
|
|
There was a problem hiding this comment.
Could we also have an instance with <1/3rd faulty? And for this case could we have a formula in the TLA spec for consensus being reached after f+1 rounds?
There was a problem hiding this comment.
Sure, we can add any number of MC_XZY files with different parameters.
| => \E v \in ValidValues, t \in Timestamps, pr \in Rounds, r1 \in Rounds, r2 \in Rounds : | ||
| LET prop == Proposal(v,t,pr) | ||
| IN | ||
| /\ decision[p] = Decision(prop, r1) | ||
| /\ decision[q] = Decision(prop, r2) |
There was a problem hiding this comment.
Could you provide a "NonAgreementOnValue" so we can see some counterexamples? I tried ~AgreementOnValue but i get a trace on Init state (with NilDecision), also tried some other variants, like:
| => \E v \in ValidValues, t \in Timestamps, pr \in Rounds, r1 \in Rounds, r2 \in Rounds : | |
| LET prop == Proposal(v,t,pr) | |
| IN | |
| /\ decision[p] = Decision(prop, r1) | |
| /\ decision[q] = Decision(prop, r2) | |
| => \E v \in ValidValues, t \in Timestamps, pr \in Rounds, r1 \in Rounds, r2 \in Rounds : | |
| LET prop == Proposal(v,t,pr) | |
| IN | |
| \/ decision[p] /= Decision(prop, r1) | |
| \/ decision[q] /= Decision(prop, r2) |
There was a problem hiding this comment.
Right, the problem with your suggestion is that neither process is required to decide on a valid proposal, if it is written with just this disjunction. I think what you want is something along the lines of:
| => \E v \in ValidValues, t \in Timestamps, pr \in Rounds, r1 \in Rounds, r2 \in Rounds : | |
| LET prop == Proposal(v,t,pr) | |
| IN | |
| /\ decision[p] = Decision(prop, r1) | |
| /\ decision[q] = Decision(prop, r2) | |
| => \E p1 \in ValidProposals, p2 \in ValidProposals, r1 \in Rounds, r2 \in Rounds : | |
| /\ p1 /= p2 | |
| /\ decision[p] = Decision(p1, r1) | |
| /\ decision[q] = Decision(p2, r2) |
There was a problem hiding this comment.
That doesn't work either. I will keep trying but let me know if you come up with an invariant that fails.
| ELSE NilProposal | ||
| IN | ||
| BroadcastPrevote(p, round[p], mid) \* lines 24-26 | ||
| BroadcastPrevote(p, r, mid) \* lines 24-26 |
There was a problem hiding this comment.
Not clear to me that we prevote nil if msg is not timely. Maybe move the msg \in receivedTimelyProposal[p] check in LET mid...??
There was a problem hiding this comment.
If msg is not timely, the entire action UponProposalInPropose is disabled.
There was a problem hiding this comment.
But we want to prevote nil, right?
| *) | ||
| Next == | ||
| Next == | ||
| \/ AdvanceRealTime |
There was a problem hiding this comment.
Follow up on the deadlock, if I disable the deadlock check, in TLC actions I only see AdvanceRealTime (in addition to Init and Next). And a simple run (2 correct processes) never finishes.
There was a problem hiding this comment.
Ah actually it did finish.
|
Going to merge for now and open separate PRs for additional changes to these files. |
This PR cherry-picks a number of commits present in the `master` branch of this repository. Some of the commits are from the old `tendermint/spec` repository, namely: - tendermint/spec#369 - tendermint/spec#373 - tendermint/spec#375 - tendermint/spec#398 - tendermint/spec#399 This content has then been migrated to the `tendermint/tendermint` repository, from which follow PRs were considered: - tendermint/tendermint#7804 (**not cherry-picked**) - tendermint/tendermint#8018 - tendermint/tendermint#8096 Most of the conflicts and the fixes needed refer to links to content, that have been updated or referred to old repositories. The MD files that are currently under `spec/consensus/proposer-based-timestamp` were moved to the `v1` subdir. Files with similar names, but the `-002` suffix were added with the new solution, replacing the old ones. The differences from the original content, on `master` and the content of this PR are minimal, as one can check by running ` git diff master spec/consensus/proposer-based-timestamp/` Finally, the entry point of the added content can be found [here](https://github.com/cometbft/cometbft/blob/cason/pbts-spec/spec/consensus/proposer-based-timestamp/README.md). --------- Co-authored-by: Daniel <daniel.cason@usi.ch> Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: William Banfield <4561443+williambanfield@users.noreply.github.com> Co-authored-by: Kukovec <jure.kukovec@gmail.com> Co-authored-by: Daniel Cason <cason@gandria> Co-authored-by: M. J. Fromberger <fromberger@interchain.io> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
This PR cherry-picks a number of commits present in the `master` branch of this repository. Some of the commits are from the old `tendermint/spec` repository, namely: - tendermint/spec#369 - tendermint/spec#373 - tendermint/spec#375 - tendermint/spec#398 - tendermint/spec#399 This content has then been migrated to the `tendermint/tendermint` repository, from which follow PRs were considered: - tendermint/tendermint#7804 (**not cherry-picked**) - tendermint/tendermint#8018 - tendermint/tendermint#8096 Most of the conflicts and the fixes needed refer to links to content, that have been updated or referred to old repositories. The MD files that are currently under `spec/consensus/proposer-based-timestamp` were moved to the `v1` subdir. Files with similar names, but the `-002` suffix were added with the new solution, replacing the old ones. The differences from the original content, on `master` and the content of this PR are minimal, as one can check by running ` git diff master spec/consensus/proposer-based-timestamp/` Finally, the entry point of the added content can be found [here](https://github.com/cometbft/cometbft/blob/cason/pbts-spec/spec/consensus/proposer-based-timestamp/README.md). --------- Co-authored-by: Daniel <daniel.cason@usi.ch> Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: William Banfield <4561443+williambanfield@users.noreply.github.com> Co-authored-by: Kukovec <jure.kukovec@gmail.com> Co-authored-by: Daniel Cason <cason@gandria> Co-authored-by: M. J. Fromberger <fromberger@interchain.io> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> (cherry picked from commit 84339ef)
Changes to the TLA+ specifications that need to be integrated.
This recreates #8004, which I merged not realizing it was more than just a migration of files. Apologies for the noise.