github.com/Team-Kujira/tendermint@v0.34.24-indexer/spec/light-client/accountability/Synopsis.md (about) 1 2 # Synopsis 3 4 A TLA+ specification of a simplified Tendermint consensus, tuned for 5 fork accountability. The simplifications are as follows: 6 7 - the procotol runs for one height, that is, one-shot consensus 8 9 - this specification focuses on safety, so timeouts are modelled with 10 with non-determinism 11 12 - the proposer function is non-determinstic, no fairness is assumed 13 14 - the messages by the faulty processes are injected right in the initial states 15 16 - every process has the voting power of 1 17 18 - hashes are modelled as identity 19 20 Having the above assumptions in mind, the specification follows the pseudo-code 21 of the Tendermint paper: <https://arxiv.org/abs/1807.04938> 22 23 Byzantine processes can demonstrate arbitrary behavior, including 24 no communication. However, we have to show that under the collective evidence 25 collected by the correct processes, at least `f+1` Byzantine processes demonstrate 26 one of the following behaviors: 27 28 - Equivocation: a Byzantine process sends two different values 29 in the same round. 30 31 - Amnesia: a Byzantine process locks a value, although it has locked 32 another value in the past. 33 34 # TLA+ modules 35 36 - [TendermintAcc_004_draft](TendermintAcc_004_draft.tla) is the protocol 37 specification, 38 39 - [TendermintAccInv_004_draft](TendermintAccInv_004_draft.tla) contains an 40 inductive invariant for establishing the protocol safety as well as the 41 forking cases, 42 43 - `MC_n<n>_f<f>`, e.g., [MC_n4_f1](MC_n4_f1.tla), contains fixed constants for 44 model checking with the [Apalache model 45 checker](https://github.com/informalsystems/apalache), 46 47 - [TendermintAccTrace_004_draft](TendermintAccTrace_004_draft.tla) shows how 48 to restrict the execution space to a fixed sequence of actions (e.g., to 49 instantiate a counterexample), 50 51 - [TendermintAccDebug_004_draft](TendermintAccDebug_004_draft.tla) contains 52 the useful definitions for debugging the protocol specification with TLC and 53 Apalache. 54 55 # Reasoning about fork scenarios 56 57 The theorem statements can be found in 58 [TendermintAccInv_004_draft.tla](TendermintAccInv_004_draft.tla). 59 60 First, we would like to show that `TypedInv` is an inductive invariant. 61 Formally, the statement looks as follows: 62 63 ```tla 64 THEOREM TypedInvIsInductive == 65 \/ FaultyQuorum 66 \//\ Init => TypedInv 67 /\ TypedInv /\ [Next]_vars => TypedInv' 68 ``` 69 70 When over two-thirds of processes are faulty, `TypedInv` is not inductive. 71 However, there is no hope to repair the protocol in this case. We run 72 [Apalache](https://github.com/informalsystems/apalache) to prove this theorem 73 only for fixed instances of 4 to 5 validators. Apalache does not parse theorem 74 statements at the moment, so we ran Apalache using a shell script. To find a 75 parameterized argument, one has to use a theorem prover, e.g., TLAPS. 76 77 Second, we would like to show that the invariant implies `Agreement`, that is, 78 no fork, provided that less than one third of processes is faulty. By combining 79 this theorem with the previous theorem, we conclude that the protocol indeed 80 satisfies Agreement under the condition `LessThanThirdFaulty`. 81 82 ```tla 83 THEOREM AgreementWhenLessThanThirdFaulty == 84 LessThanThirdFaulty /\ TypedInv => Agreement 85 ``` 86 87 Third, in the general case, we either have no fork, or two fork scenarios: 88 89 ```tla 90 THEOREM AgreementOrFork == 91 ~FaultyQuorum /\ TypedInv => Accountability 92 ``` 93 94 # Model checking results 95 96 Check the report on [model checking with Apalache](./results/001indinv-apalache-report.md). 97 98 To run the model checking experiments, use the script: 99 100 ```console 101 ./run.sh 102 ``` 103 104 This script assumes that the apalache build is available in 105 `~/devl/apalache-unstable`.