github.com/Team-Kujira/tendermint@v0.34.24-indexer/spec/light-client/accountability/TendermintAccDebug_004_draft.tla (about) 1 ------------------ MODULE TendermintAccDebug_004_draft ------------------------- 2 (* 3 A few definitions that we use for debugging TendermintAcc3, which do not belong 4 to the specification itself. 5 6 * Version 3. Modular and parameterized definitions. 7 8 Igor Konnov, 2020. 9 *) 10 11 EXTENDS TendermintAccInv_004_draft 12 13 \* make them parameters? 14 NFaultyProposals == 0 \* the number of injected faulty PROPOSE messages 15 NFaultyPrevotes == 6 \* the number of injected faulty PREVOTE messages 16 NFaultyPrecommits == 6 \* the number of injected faulty PRECOMMIT messages 17 18 \* Given a set of allowed messages Msgs, this operator produces a function from 19 \* rounds to sets of messages. 20 \* Importantly, there will be exactly k messages in the image of msgFun. 21 \* We use this action to produce k faults in an initial state. 22 ProduceFaults(msgFun, From, k) == 23 \E f \in [1..k -> From]: 24 msgFun = [r \in Rounds |-> {m \in {f[i]: i \in 1..k}: m.round = r}] 25 26 \* As TLC explodes with faults, we may have initial states without faults 27 InitNoFaults == 28 /\ round = [p \in Corr |-> 0] 29 /\ step = [p \in Corr |-> "PROPOSE"] 30 /\ decision = [p \in Corr |-> NilValue] 31 /\ lockedValue = [p \in Corr |-> NilValue] 32 /\ lockedRound = [p \in Corr |-> NilRound] 33 /\ validValue = [p \in Corr |-> NilValue] 34 /\ validRound = [p \in Corr |-> NilRound] 35 /\ msgsPropose = [r \in Rounds |-> EmptyMsgSet] 36 /\ msgsPrevote = [r \in Rounds |-> EmptyMsgSet] 37 /\ msgsPrecommit = [r \in Rounds |-> EmptyMsgSet] 38 /\ evidence = EmptyMsgSet 39 40 (* 41 A specialized version of Init that injects NFaultyProposals proposals, 42 NFaultyPrevotes prevotes, NFaultyPrecommits precommits by the faulty processes 43 *) 44 InitFewFaults == 45 /\ round = [p \in Corr |-> 0] 46 /\ step = [p \in Corr |-> "PROPOSE"] 47 /\ decision = [p \in Corr |-> NilValue] 48 /\ lockedValue = [p \in Corr |-> NilValue] 49 /\ lockedRound = [p \in Corr |-> NilRound] 50 /\ validValue = [p \in Corr |-> NilValue] 51 /\ validRound = [p \in Corr |-> NilRound] 52 /\ ProduceFaults(msgsPrevote', 53 SetOfMsgs([type: {"PREVOTE"}, src: Faulty, round: Rounds, id: Values]), 54 NFaultyPrevotes) 55 /\ ProduceFaults(msgsPrecommit', 56 SetOfMsgs([type: {"PRECOMMIT"}, src: Faulty, round: Rounds, id: Values]), 57 NFaultyPrecommits) 58 /\ ProduceFaults(msgsPropose', 59 SetOfMsgs([type: {"PROPOSAL"}, src: Faulty, round: Rounds, 60 proposal: Values, validRound: Rounds \cup {NilRound}]), 61 NFaultyProposals) 62 /\ evidence = EmptyMsgSet 63 64 \* Add faults incrementally 65 NextWithFaults == 66 \* either the protocol makes a step 67 \/ Next 68 \* or a faulty process sends a message 69 \//\ UNCHANGED <<round, step, decision, lockedValue, 70 lockedRound, validValue, validRound, evidence>> 71 /\ \E p \in Faulty: 72 \E r \in Rounds: 73 \//\ UNCHANGED <<msgsPrevote, msgsPrecommit>> 74 /\ \E proposal \in ValidValues \union {NilValue}: 75 \E vr \in RoundsOrNil: 76 BroadcastProposal(p, r, proposal, vr) 77 \//\ UNCHANGED <<msgsPropose, msgsPrecommit>> 78 /\ \E id \in ValidValues \union {NilValue}: 79 BroadcastPrevote(p, r, id) 80 \//\ UNCHANGED <<msgsPropose, msgsPrevote>> 81 /\ \E id \in ValidValues \union {NilValue}: 82 BroadcastPrecommit(p, r, id) 83 84 (******************************** PROPERTIES ***************************************) 85 \* simple reachability properties to see that the spec is progressing 86 NoPrevote == \A p \in Corr: step[p] /= "PREVOTE" 87 88 NoPrecommit == \A p \in Corr: step[p] /= "PRECOMMIT" 89 90 NoValidPrecommit == 91 \A r \in Rounds: 92 \A m \in msgsPrecommit[r]: 93 m.id = NilValue \/ m.src \in Faulty 94 95 NoHigherRounds == \A p \in Corr: round[p] < 1 96 97 NoDecision == \A p \in Corr: decision[p] = NilValue 98 99 ============================================================================= 100