Changes to TLA+ specs for model-based testing #546
Conversation
andrey-kuprianov
added
light-client
|
Here is the relevant reviews from the original PR: #529 (review) |
andrey-kuprianov
changed the title
|
The discussion from the original PR:
|
|
The problem I have is with the following model-based test: |
|
@konnov The model is such that this verdict is logically excluded |
We have to investigate this. Can it be that this verdict is overwritten by another block later? Since you are only checking the history post-factum, this can happen. |
|
I am pretty sure it is excluded by the combination of logical constraints in the model... yes, let's investigate. |
| @@ -110,7 +110,7 @@ FaultAssumption(pFaultyNodes, pNow, pBlockchain) == | |||
| (* Can a block be produced by a correct peer, or an authenticated Byzantine peer *) | |||
| IsLightBlockAllowedByDigitalSignatures(ht, block) == | |||
| \/ block.header = blockchain[ht] \* signed by correct and faulty (maybe) | |||
| \/ block.Commits \subseteq Faulty /\ block.header.height = ht \* signed only by faulty | |||
| \/ block.Commits \subseteq Faulty /\ block.header.height = ht /\ block.header.time > 0 \* signed only by faulty | |||
There was a problem hiding this comment.
| \/ block.Commits \subseteq Faulty /\ block.header.height = ht /\ block.header.time > 0 \* signed only by faulty | |
| \/ block.Commits \subseteq Faulty /\ block.header.height = ht /\ block.header.time >= 0 \* signed only by faulty |
| /\ thdr.time <= uhdr.time | ||
| /\ thdr.time < uhdr.time | ||
| \* the untrusted block is not from the future | ||
| /\ uhdr.time <= now |
There was a problem hiding this comment.
| /\ uhdr.time <= now | |
| /\ uhdr.time < now + CLOCK_DRIFT |
| @@ -75,7 +75,7 @@ LBT == [header |-> BT, Commits |-> {NT}] | |||
|
|
|||
| (* the header is still within the trusting period *) | |||
| InTrustingPeriod(header) == | |||
| now <= header.time + TRUSTING_PERIOD | |||
| now < header.time + TRUSTING_PERIOD | |||
There was a problem hiding this comment.
I see the <= actually appears to contradict the english spec which says
- *LightStore* always contains a verified header whose age is less than the trusting period,
So it seems clear that what we ant is "less than", but perhaps this inconsistency was due in part to the wording and terminology here. E.g., in this paragraph
In order to ensure liveness, LightStore always needs to contain a
verified (or initially trusted) header whose time is within the
trusting period.
"trust period" is spoken of as a duration that the header needs to be within not as a limit point that the header time needs to be less than. I wonder if calling this TRUST_PERIOD_LIMIT might help prevent such confusion i the future. I suspect a problem with the current wording may arise due to "trusting period" sounds like a span within which things are valid, when it's actually meant to be the outer limit beyond which things are invalid. iiuc, the trust period is that span of time up to but not including the limit.
There was a problem hiding this comment.
You are right: <= does contradict the English spec, so this is the TLA+ modeling artifact. That there can be ambiguities in the English spec, that's of course possible -- English is not a formal language after all;) I still think that our English spec does an amazing job of clarifying the requirements at the semi-formal (and as close to formal as possible) level. But exactly because of this non-strictness of the English language the TLA+ spec should, in my opinion, be the ultimate source of truth for all parties.
One of the things we were discussing with @josef-widder and @konnov is that now, when we have the three artifacts: the English spec, the TLA+ spec, and the implementation, and also now that we have the MBT, which serves as the "missing link" helping to synchronize them, we need to establish a process (in the VDD sense) that will help us to resolve the conflicts.
In this PR I've fixed the TLA+ spec, because it was the most easy way for me to go, but it's not clear at all whether that's the right thing to do. We need to figure out a joint understanding between the research and the development teams on how to proceed in such cases.
There was a problem hiding this comment.
In this case, given the larger context, I don't believe it matters much whether we use < or <= here since we are dealing with time and already assume clocks can drift some amount. The important thing is that TRUST_PERIOD is a fraction of the UNBONDING_PERIOD. This ensures that light clients have the duration of UNBONDING_PERIOD - TRUST_PERIOD to try and submit evidence to the chain and get faulty validators punished. And since all these periods are on the order of days/weeks, the < vs. <= here shouldn't make a difference in the end.
Also while UNBONDING_PERIOD is a global consensus parameter (all nodes agree on), the TRUST_PERIOD is not, it's a local subjective parameter that clients can set depending on their risk tolerance. So again, the plank second difference between < and <= shouldn't matter there.
Of course that might be an unsatisfactory answer - I don't mean to be flippant about it and we should certainly be consistent and precise, but it's important to keep the practical context in mind so we know what details are most important to focus on. Of course this is just input from my feeble human mind so possibly machine will prove that it does matter, but thought it was worth providing the extra context here.
There was a problem hiding this comment.
Thanks for the feedback! I totally agree, from the practical perspective these differences between < and <= do not matter at all in this particular context, so this case we could fix however we like, and it would make no real difference. There are two things to keep in mind though:
- scientifically, we can't be approximately precise. And I would like to think about our specs as being precise, so we should clarify and fix any ambiguities.
- this particular example is only a manifestation of a general problem about the artifacts we are having, and I am sure we will encounter more instances of it, with probably higher level of severity. So it's better if we are prepared for that.
Also I tend to perceive us having this problem as rather a good thing, demonstrating that from now on we will have a living specification, which is in sync with the implementation.
This is only the input from another feeble human mind, just a bit different;) And I am sure fixing this will not take much of either our focus or time.
| - verdict: the light client verdict for the `current` block in this state | ||
| *) | ||
| VARIABLE | ||
| history |
There was a problem hiding this comment.
Just a question for my learning, I don't see the history function actually getting used anywhere except on https://github.com/informalsystems/tendermint-rs/pull/546/files#diff-04b72e322e067c19d149fbabcfe5a830R272 where is is UNCHANGED. Could you maybe point out to me where we actually apply the function to make use of the records in its codomain?
There was a problem hiding this comment.
It's used here:
- LightTests.tla to describe the TLA+ tests,
- and here apalache-tendermint.json to extract the information from the Apalache counterexample.
It was part of another PR, which is already merged.
There was a problem hiding this comment.
Also, as we discussed with @josef-widder and @konnov, the way I introduce the history variable needs to be changed, because this feature is not needed for all users of the spec. So we need to figure out how to modularize the spec, and to allow to add the history as an extension.
There was a problem hiding this comment.
Ah, got it. Thanks very much for the pointers!
|
@josef-widder @konnov Here is the logical explanation why "FAILED_TRUSTING_PERIOD" verdict is impossible: For it to be issued the following should hold:
Denoting
which, combined, give this inequality:
which is impossible. |
|
To be more precise, this is impossible taking into account the changes to the specs I propose, because those changes make strict inequalities out of two non-strict ones. Without those changes this verdict would be possible with a single valuation, namely:
|
|
Looks like we have to add clock drift, to make sense of error condition. |
|
@konnov @josef-widder I've implemented our discussions, in particular factored out building the history chain from the main LightClient spec into the testing spec. Could you please review the changes to For now this is still shown as the changes to the TLA files from Thanks! |
|
Files names should be like |
Part 1 of #529. See also #414. Changes to the TLA+ specs needed for model-based testing
introduced history variable into the LightClient spec
fixed a couple of divergences between the spec and the implementation, that resulted in failing model-based tests.
Referenced an issue explaining the need for the change
Updated all relevant documentation in docs
Updated all code comments where relevant
Wrote tests
Updated CHANGELOG.md