github.com/ari-anchor/sei-tendermint@v0.0.0-20230519144642-dc826b7b56bb/spec/light-client/accountability/TendermintAccDebug_004_draft.tla (about) 1 ------------------ MODULE TendermintAccDebug_004_draft ------------------------- 2 (* 3 A few definitions that we use for debugging TendermintAcc3, which do not belong 4 to the specification itself. 5 6 * Version 3. Modular and parameterized definitions. 7 8 Igor Konnov, 2020. 9 *) 10 11 EXTENDS TendermintAccInv_004_draft 12 13 \* make them parameters? 14 NFaultyProposals == 0 \* the number of injected faulty PROPOSE messages 15 NFaultyPrevotes == 6 \* the number of injected faulty PREVOTE messages 16 NFaultyPrecommits == 6 \* the number of injected faulty PRECOMMIT messages 17 18 \* Given a set of allowed messages Msgs, this operator produces a function from 19 \* rounds to sets of messages. 20 \* Importantly, there will be exactly k messages in the image of msgFun. 21 \* We use this action to produce k faults in an initial state. 22 \* @type: (ROUND -> Set(MESSAGE), Set(MESSAGE), Int) => Bool; 23 ProduceFaults(msgFun, From, k) == 24 \E f \in [1..k -> From]: 25 msgFun = [r \in Rounds |-> {m \in {f[i]: i \in 1..k}: m.round = r}] 26 27 \* As TLC explodes with faults, we may have initial states without faults 28 InitNoFaults == 29 /\ round = [p \in Corr |-> 0] 30 /\ step = [p \in Corr |-> "PROPOSE"] 31 /\ decision = [p \in Corr |-> NilValue] 32 /\ lockedValue = [p \in Corr |-> NilValue] 33 /\ lockedRound = [p \in Corr |-> NilRound] 34 /\ validValue = [p \in Corr |-> NilValue] 35 /\ validRound = [p \in Corr |-> NilRound] 36 /\ msgsPropose = [r \in Rounds |-> EmptyMsgSet] 37 /\ msgsPrevote = [r \in Rounds |-> EmptyMsgSet] 38 /\ msgsPrecommit = [r \in Rounds |-> EmptyMsgSet] 39 /\ evidence = EmptyMsgSet 40 41 (* 42 A specialized version of Init that injects NFaultyProposals proposals, 43 NFaultyPrevotes prevotes, NFaultyPrecommits precommits by the faulty processes 44 *) 45 InitFewFaults == 46 /\ round = [p \in Corr |-> 0] 47 /\ step = [p \in Corr |-> "PROPOSE"] 48 /\ decision = [p \in Corr |-> NilValue] 49 /\ lockedValue = [p \in Corr |-> NilValue] 50 /\ lockedRound = [p \in Corr |-> NilRound] 51 /\ validValue = [p \in Corr |-> NilValue] 52 /\ validRound = [p \in Corr |-> NilRound] 53 /\ ProduceFaults(msgsPrevote', 54 [type: {"PREVOTE"}, src: Faulty, round: Rounds, id: Values], 55 NFaultyPrevotes) 56 /\ ProduceFaults(msgsPrecommit', 57 [type: {"PRECOMMIT"}, src: Faulty, round: Rounds, id: Values], 58 NFaultyPrecommits) 59 /\ ProduceFaults(msgsPropose', 60 [type: {"PROPOSAL"}, src: Faulty, round: Rounds, 61 proposal: Values, validRound: Rounds \cup {NilRound}], 62 NFaultyProposals) 63 /\ evidence = EmptyMsgSet 64 65 \* Add faults incrementally 66 NextWithFaults == 67 \* either the protocol makes a step 68 \/ Next 69 \* or a faulty process sends a message 70 \//\ UNCHANGED <<round, step, decision, lockedValue, 71 lockedRound, validValue, validRound, evidence>> 72 /\ \E p \in Faulty: 73 \E r \in Rounds: 74 \//\ UNCHANGED <<msgsPrevote, msgsPrecommit>> 75 /\ \E proposal \in ValidValues \union {NilValue}: 76 \E vr \in RoundsOrNil: 77 BroadcastProposal(p, r, proposal, vr) 78 \//\ UNCHANGED <<msgsPropose, msgsPrecommit>> 79 /\ \E id \in ValidValues \union {NilValue}: 80 BroadcastPrevote(p, r, id) 81 \//\ UNCHANGED <<msgsPropose, msgsPrevote>> 82 /\ \E id \in ValidValues \union {NilValue}: 83 BroadcastPrecommit(p, r, id) 84 85 (******************************** PROPERTIES ***************************************) 86 \* simple reachability properties to see that the spec is progressing 87 NoPrevote == \A p \in Corr: step[p] /= "PREVOTE" 88 89 NoPrecommit == \A p \in Corr: step[p] /= "PRECOMMIT" 90 91 NoValidPrecommit == 92 \A r \in Rounds: 93 \A m \in msgsPrecommit[r]: 94 m.id = NilValue \/ m.src \in Faulty 95 96 NoHigherRounds == \A p \in Corr: round[p] < 1 97 98 NoDecision == \A p \in Corr: decision[p] = NilValue 99 100 ============================================================================= 101