github.com/badrootd/nibiru-cometbft@v0.37.5-0.20240307173500-2a75559eee9b/spec/light-client/accountability/TendermintAccDebug_004_draft.tla

github.com/badrootd/nibiru-cometbft@v0.37.5-0.20240307173500-2a75559eee9b/spec/light-client/accountability/TendermintAccDebug_004_draft.tla (about)

     1  ------------------ MODULE TendermintAccDebug_004_draft -------------------------
     2  (*
     3   A few definitions that we use for debugging TendermintAcc3, which do not belong
     4   to the specification itself.
     5   
     6   * Version 3. Modular and parameterized definitions.
     7  
     8   Igor Konnov, 2020.
     9   *)
    10  
    11  EXTENDS TendermintAccInv_004_draft
    12  
    13  \* make them parameters?
    14  NFaultyProposals == 0   \* the number of injected faulty PROPOSE messages
    15  NFaultyPrevotes == 6    \* the number of injected faulty PREVOTE messages
    16  NFaultyPrecommits == 6  \* the number of injected faulty PRECOMMIT messages
    17  
    18  \* Given a set of allowed messages Msgs, this operator produces a function from
    19  \* rounds to sets of messages.
    20  \* Importantly, there will be exactly k messages in the image of msgFun.
    21  \* We use this action to produce k faults in an initial state.
    22  \* @type: ($round -> Set({ round: $round, a }),
    23  \*         Set({ round: $round, a }), Int)
    24  \*          => Bool;
    25  ProduceFaults(msgFun, From, k) ==
    26      \E f \in [1..k -> From]:
    27          msgFun = [r \in Rounds |-> {m \in {f[i]: i \in 1..k}: m.round = r}]
    28  
    29  \* As TLC explodes with faults, we may have initial states without faults    
    30  InitNoFaults ==
    31      /\ round = [p \in Corr |-> 0]
    32      /\ step = [p \in Corr |-> "PROPOSE"]
    33      /\ decision = [p \in Corr |-> NilValue]
    34      /\ lockedValue = [p \in Corr |-> NilValue]
    35      /\ lockedRound = [p \in Corr |-> NilRound]
    36      /\ validValue = [p \in Corr |-> NilValue]
    37      /\ validRound = [p \in Corr |-> NilRound]
    38      /\ msgsPropose = [r \in Rounds |-> {}]
    39      /\ msgsPrevote = [r \in Rounds |-> {}]
    40      /\ msgsPrecommit = [r \in Rounds |-> {}]
    41      /\ evidencePropose = {}
    42      /\ evidencePrevote = {}
    43      /\ evidencePrecommit = {}
    44  
    45  (*
    46   A specialized version of Init that injects NFaultyProposals proposals,
    47   NFaultyPrevotes prevotes, NFaultyPrecommits precommits by the faulty processes
    48   *)
    49  InitFewFaults ==
    50      /\ round = [p \in Corr |-> 0]
    51      /\ step = [p \in Corr |-> "PROPOSE"]
    52      /\ decision = [p \in Corr |-> NilValue]
    53      /\ lockedValue = [p \in Corr |-> NilValue]
    54      /\ lockedRound = [p \in Corr |-> NilRound]
    55      /\ validValue = [p \in Corr |-> NilValue]
    56      /\ validRound = [p \in Corr |-> NilRound]
    57      /\ ProduceFaults(msgsPrevote',
    58                       [type: {"PREVOTE"}, src: Faulty, round: Rounds, id: Values],
    59                       NFaultyPrevotes)
    60      /\ ProduceFaults(msgsPrecommit',
    61                       [type: {"PRECOMMIT"}, src: Faulty, round: Rounds, id: Values],
    62                       NFaultyPrecommits)
    63      /\ ProduceFaults(msgsPropose',
    64                       [type: {"PROPOSAL"}, src: Faulty, round: Rounds,
    65                                  proposal: Values, validRound: Rounds \cup {NilRound}],
    66                       NFaultyProposals)
    67      /\ evidencePropose = {}
    68      /\ evidencePrevote = {}
    69      /\ evidencePrecommit = {}
    70  
    71  \* Add faults incrementally
    72  NextWithFaults ==
    73      \* either the protocol makes a step
    74      \/ Next
    75      \* or a faulty process sends a message
    76      \//\ UNCHANGED <<round, step, decision, lockedValue,
    77                       lockedRound, validValue, validRound,
    78                       evidencePropose, evidencePrevote, evidencePrecommit>>
    79        /\ \E p \in Faulty:
    80           \E r \in Rounds:
    81             \//\ UNCHANGED <<msgsPrevote, msgsPrecommit>>
    82               /\ \E proposal \in ValidValues \union {NilValue}:
    83                  \E vr \in RoundsOrNil:
    84                    BroadcastProposal(p, r, proposal, vr)
    85             \//\ UNCHANGED <<msgsPropose, msgsPrecommit>>
    86               /\ \E id \in ValidValues \union {NilValue}:
    87                    BroadcastPrevote(p, r, id)
    88             \//\ UNCHANGED <<msgsPropose, msgsPrevote>>
    89               /\ \E id \in ValidValues \union {NilValue}:
    90                    BroadcastPrecommit(p, r, id)
    91  
    92  (******************************** PROPERTIES  ***************************************)
    93  \* simple reachability properties to see that the spec is progressing
    94  NoPrevote == \A p \in Corr: step[p] /= "PREVOTE" 
    95  
    96  NoPrecommit == \A p \in Corr: step[p] /= "PRECOMMIT"   
    97  
    98  NoValidPrecommit ==
    99      \A r \in Rounds:
   100        \A m \in msgsPrecommit[r]:
   101          m.id = NilValue \/ m.src \in Faulty
   102  
   103  NoHigherRounds == \A p \in Corr: round[p] < 1
   104  
   105  NoDecision == \A p \in Corr: decision[p] = NilValue                    
   106  
   107  =============================================================================    
   108