informalsystems · andrey-kuprianov · Sep 24, 2020 · Sep 2, 2020 · Sep 11, 2020 · Sep 23, 2020
diff --git a/docs/spec/lightclient/verification/Blockchain_A_1.tla b/docs/spec/lightclient/verification/Blockchain_A_1.tla
@@ -75,7 +75,7 @@ LBT == [header |-> BT, Commits |-> {NT}]
 
 (* the header is still within the trusting period *)
 InTrustingPeriod(header) ==
-    now <= header.time + TRUSTING_PERIOD
+    now < header.time + TRUSTING_PERIOD
 
 (*
  Given a function pVotingPower \in D -> Powers for some D \subseteq AllNodes
@@ -110,7 +110,7 @@ FaultAssumption(pFaultyNodes, pNow, pBlockchain) ==
 (* Can a block be produced by a correct peer, or an authenticated Byzantine peer *)
 IsLightBlockAllowedByDigitalSignatures(ht, block) == 
     \/ block.header = blockchain[ht] \* signed by correct and faulty (maybe)
-    \/ block.Commits \subseteq Faulty /\ block.header.height = ht \* signed only by faulty
+    \/ block.Commits \subseteq Faulty /\ block.header.height = ht /\ block.header.time >= 0 \* signed only by faulty
 
 (*
  Initialize the blockchain to the ultimate height right in the initial states.

diff --git a/docs/spec/lightclient/verification/Lightclient_A_1.tla b/docs/spec/lightclient/verification/Lightclient_A_1.tla
@@ -29,8 +29,28 @@ VARIABLES
   lightBlockStatus,   (* a function from heights to block statuses *)
   latestVerified      (* the latest verified block *)
 
-(* the variables of the lite client *)  
-lcvars == <<state, nextHeight, fetchedLightBlocks, lightBlockStatus, latestVerified>>  
+(* the variables of the lite client *)
+lcvars == <<state, nextHeight, fetchedLightBlocks, lightBlockStatus, latestVerified>>
+
+(* the light client previous state components, used for monitoring *)
+VARIABLES
+  prevVerified,
+  prevCurrent,
+  prevNow,
+  prevVerdict
+
+InitMonitor(verified, current, now, verdict) ==
+  /\ prevVerified = verified
+  /\ prevCurrent = current
+  /\ prevNow = now
+  /\ prevVerdict = verdict
+
+NextMonitor(verified, current, now, verdict) ==
+  /\ prevVerified' = verified
+  /\ prevCurrent' = current
+  /\ prevNow' = now
+  /\ prevVerdict' = verdict
+
 
 (******************* Blockchain instance ***********************************)
 
@@ -74,7 +94,9 @@ ValidAndVerifiedPre(trusted, untrusted) ==
   /\ BC!InTrustingPeriod(thdr)
   /\ thdr.height < uhdr.height
      \* the trusted block has been created earlier (no drift here)
-  /\ thdr.time <= uhdr.time
+  /\ thdr.time < uhdr.time
+     \* the untrusted block is not from the future
+  /\ uhdr.time < now
   /\ untrusted.Commits \subseteq uhdr.VS
   /\ LET TP == Cardinality(uhdr.VS)
          SP == Cardinality(untrusted.Commits)
@@ -106,7 +128,7 @@ SignedByOneThirdOfTrusted(trusted, untrusted) ==
  *)   
 ValidAndVerified(trusted, untrusted) ==
     IF ~ValidAndVerifiedPre(trusted, untrusted)
-    THEN "FAILED_VERIFICATION"
+    THEN "INVALID"
     ELSE IF ~BC!InTrustingPeriod(untrusted.header)
     (* We leave the following test for the documentation purposes.
        The implementation should do this test, as signature verification may be slow.
@@ -115,8 +137,8 @@ ValidAndVerified(trusted, untrusted) ==
     THEN "FAILED_TRUSTING_PERIOD" 
     ELSE IF untrusted.header.height = trusted.header.height + 1
              \/ SignedByOneThirdOfTrusted(trusted, untrusted)
-         THEN "OK"
-         ELSE "CANNOT_VERIFY"
+         THEN "SUCCESS"
+         ELSE "NOT_ENOUGH_TRUST"
 
 (*
  Initial states of the light client.
@@ -135,6 +157,7 @@ LCInit ==
         /\ lightBlockStatus = [h \in {TRUSTED_HEIGHT} |-> "StateVerified"]
         \* the latest verified block the the trusted block
         /\ latestVerified = trustedLightBlock
+        /\ InitHistory(trustedLightBlock, trustedLightBlock, now, "SUCCESS")
 
 \* block should contain a copy of the block from the reference chain, with a matching commit
 CopyLightBlockFromChain(block, height) ==
@@ -207,8 +230,9 @@ VerifyToTargetLoop ==
         /\ nprobes' = nprobes + 1
         \* Verify the current block
         /\ LET verdict == ValidAndVerified(latestVerified, current) IN
+           NextHistory(latestVerified, current, now, verdict) /\
            \* Decide whether/how to continue
-           CASE verdict = "OK" ->
+           CASE verdict = "SUCCESS" ->
               /\ lightBlockStatus' = LightStoreUpdateStates(lightBlockStatus, nextHeight, "StateVerified")
               /\ latestVerified' = current
               /\ state' =
@@ -219,7 +243,7 @@ VerifyToTargetLoop ==
                  /\ CanScheduleTo(newHeight, current, nextHeight, TARGET_HEIGHT)
                  /\ nextHeight' = newHeight
 
-           [] verdict = "CANNOT_VERIFY" ->
+           [] verdict = "NOT_ENOUGH_TRUST" ->
               (*
                 do nothing: the light block current passed validation, but the validator
                 set is too different to verify it. We keep the state of
@@ -244,7 +268,8 @@ VerifyToTargetLoop ==
 VerifyToTargetDone ==
     /\ latestVerified.header.height >= TARGET_HEIGHT
     /\ state' = "finishedSuccess"
-    /\ UNCHANGED <<nextHeight, nprobes, fetchedLightBlocks, lightBlockStatus, latestVerified>>  
+    /\ UNCHANGED <<nextHeight, nprobes, fetchedLightBlocks, lightBlockStatus, latestVerified>>
+    /\ UNCHANGED <<prevVerified, prevCurrent, prevNow, prevVerdict>>
 
 (********************* Lite client + Blockchain *******************)
 Init ==
@@ -310,7 +335,7 @@ CorrectnessInv ==
             fetchedLightBlocks[h].header = blockchain[h]
 
 (**
- Check that the sequence of the headers in storedLightBlocks satisfies ValidAndVerified = "OK" pairwise
+ Check that the sequence of the headers in storedLightBlocks satisfies ValidAndVerified = "SUCCESS" pairwise
  This property is easily violated, whenever a header cannot be trusted anymore.
  *)
 StoredHeadersAreVerifiedInv ==
@@ -322,7 +347,7 @@ StoredHeadersAreVerifiedInv ==
             \/ \E mh \in DOMAIN fetchedLightBlocks:
                 lh < mh /\ mh < rh
                \* or we can verify the right one using the left one
-            \/ "OK" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
+            \/ "SUCCESS" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
 
 \* An improved version of StoredHeadersAreSound, assuming that a header may be not trusted.
 \* This invariant candidate is also violated,
@@ -336,7 +361,7 @@ StoredHeadersAreVerifiedOrNotTrustedInv ==
             \/ \E mh \in DOMAIN fetchedLightBlocks:
                 lh < mh /\ mh < rh
                \* or we can verify the right one using the left one
-            \/ "OK" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
+            \/ "SUCCESS" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
                \* or the left header is outside the trusting period, so no guarantees
             \/ ~BC!InTrustingPeriod(fetchedLightBlocks[lh].header) 
 
@@ -359,7 +384,7 @@ ProofOfChainOfTrustInv ==
                \* or the left header is outside the trusting period, so no guarantees
             \/ ~(BC!InTrustingPeriod(fetchedLightBlocks[lh].header))
                \* or we can verify the right one using the left one
-            \/ "OK" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
+            \/ "SUCCESS" = ValidAndVerified(fetchedLightBlocks[lh], fetchedLightBlocks[rh])
 
 (**
  * When the light client terminates, there are no failed blocks. (Otherwise, someone lied to us.) 

diff --git a/light-client/tests/model_based.rs b/light-client/tests/model_based.rs
@@ -115,8 +115,8 @@ fn model_based_test(
         output_env.logln("    failed to find necessary programs; consider adding them to your PATH. skipping the test");
         return;
     }
-    env.copy_file_from_env(root_env, "Lightclient_A_1.tla");
-    env.copy_file_from_env(root_env, "Blockchain_A_1.tla");
+    env.copy_file_from_env(root_env, "Lightclient_002_draft.tla");
+    env.copy_file_from_env(root_env, "Blockchain_002_draft.tla");
     env.copy_file_from_env(root_env, "LightTests.tla");
     env.copy_file_from_env(root_env, &test.model);
 
@@ -128,6 +128,8 @@ fn model_based_test(
         },
         Err(e) => panic!("failed to run Apalache; reason: {}", e),
     }
+    output_env.copy_file_from_env(env, "counterexample.tla");
+    output_env.copy_file_from_env(env, "counterexample.json");
 
     let transform_spec = root_env
         .full_canonical_path("_jsonatr-lib/apalache_to_lite_test.json")
@@ -143,8 +145,6 @@ fn model_based_test(
     let tc: SingleStepTestCase = env.parse_file("test.json").unwrap();
     println!("  > running auto-generated test...");
     single_step_test(tc, env, root_env, output_env);
-    output_env.copy_file_from_env(env, "counterexample.tla");
-    output_env.copy_file_from_env(env, "counterexample.json");
 }
 
 fn model_based_test_batch(batch: ApalacheTestBatch) -> Vec<(String, String)> {

diff --git a/light-client/tests/support/model_based/Blockchain_002_draft.tla b/light-client/tests/support/model_based/Blockchain_002_draft.tla
@@ -0,0 +1,171 @@
+------------------------ MODULE Blockchain_002_draft -----------------------------
+(*
+  This is a high-level specification of Tendermint blockchain
+  that is designed specifically for the light client.
+  Validators have the voting power of one. If you like to model various
+  voting powers, introduce multiple copies of the same validator
+  (do not forget to give them unique names though).
+ *)
+EXTENDS Integers, FiniteSets
+
+Min(a, b) == IF a < b THEN a ELSE b
+
+CONSTANT
+  AllNodes,
+    (* a set of all nodes that can act as validators (correct and faulty) *)
+  ULTIMATE_HEIGHT,
+    (* a maximal height that can be ever reached (modelling artifact) *)
+  TRUSTING_PERIOD
+    (* the period within which the validators are trusted *)
+
+Heights == 1..ULTIMATE_HEIGHT   (* possible heights *)
+
+(* A commit is just a set of nodes who have committed the block *)
+Commits == SUBSET AllNodes
+
+(* The set of all block headers that can be on the blockchain.
+   This is a simplified version of the Block data structure in the actual implementation. *)
+BlockHeaders == [
+  height: Heights,
+    \* the block height
+  time: Int,
+    \* the block timestamp in some integer units
+  lastCommit: Commits,
+    \* the nodes who have voted on the previous block, the set itself instead of a hash
+  (* in the implementation, only the hashes of V and NextV are stored in a block,
+     as V and NextV are stored in the application state *) 
+  VS: SUBSET AllNodes,
+    \* the validators of this bloc. We store the validators instead of the hash.
+  NextVS: SUBSET AllNodes
+    \* the validators of the next block. We store the next validators instead of the hash.
+]
+
+(* A signed header is just a header together with a set of commits *)
+LightBlocks == [header: BlockHeaders, Commits: Commits]
+
+VARIABLES
+    now,
+        (* the current global time in integer units *)
+    blockchain,
+    (* A sequence of BlockHeaders, which gives us a bird view of the blockchain. *)
+    Faulty
+    (* A set of faulty nodes, which can act as validators. We assume that the set
+       of faulty processes is non-decreasing. If a process has recovered, it should
+       connect using a different id. *)
+
+(* all variables, to be used with UNCHANGED *)       
+vars == <<now, blockchain, Faulty>>         
+
+(* The set of all correct nodes in a state *)
+Corr == AllNodes \ Faulty
+
+(* APALACHE annotations *)
+a <: b == a \* type annotation
+
+NT == STRING
+NodeSet(S) == S <: {NT}
+EmptyNodeSet == NodeSet({})
+
+BT == [height |-> Int, time |-> Int, lastCommit |-> {NT}, VS |-> {NT}, NextVS |-> {NT}]
+
+LBT == [header |-> BT, Commits |-> {NT}]
+(* end of APALACHE annotations *)       
+
+(****************************** BLOCKCHAIN ************************************)
+
+(* the header is still within the trusting period *)
+InTrustingPeriod(header) ==
+    now < header.time + TRUSTING_PERIOD
+
+(*
+ Given a function pVotingPower \in D -> Powers for some D \subseteq AllNodes
+ and pNodes \subseteq D, test whether the set pNodes \subseteq AllNodes has
+ more than 2/3 of voting power among the nodes in D.
+ *)
+TwoThirds(pVS, pNodes) ==
+    LET TP == Cardinality(pVS)
+        SP == Cardinality(pVS \intersect pNodes)
+    IN
+    3 * SP > 2 * TP \* when thinking in real numbers, not integers: SP > 2.0 / 3.0 * TP 
+
+(*
+ Given a set of FaultyNodes, test whether the voting power of the correct nodes in D
+ is more than 2/3 of the voting power of the faulty nodes in D.
+ *)
+IsCorrectPower(pFaultyNodes, pVS) ==
+    LET FN == pFaultyNodes \intersect pVS   \* faulty nodes in pNodes
+        CN == pVS \ pFaultyNodes            \* correct nodes in pNodes
+        CP == Cardinality(CN)               \* power of the correct nodes
+        FP == Cardinality(FN)               \* power of the faulty nodes
+    IN
+    \* CP + FP = TP is the total voting power, so we write CP > 2.0 / 3 * TP as follows:
+    CP > 2 * FP \* Note: when FP = 0, this implies CP > 0.
+
+(* This is what we believe is the assumption about failures in Tendermint *)     
+FaultAssumption(pFaultyNodes, pNow, pBlockchain) ==
+    \A h \in Heights:
+      pBlockchain[h].time + TRUSTING_PERIOD > pNow =>
+        IsCorrectPower(pFaultyNodes, pBlockchain[h].NextVS)
+
+(* Can a block be produced by a correct peer, or an authenticated Byzantine peer *)
+IsLightBlockAllowedByDigitalSignatures(ht, block) == 
+    \/ block.header = blockchain[ht] \* signed by correct and faulty (maybe)
+    \/ block.Commits \subseteq Faulty /\ block.header.height = ht /\ block.header.time >= 0 \* signed only by faulty
+
+(*
+ Initialize the blockchain to the ultimate height right in the initial states.
+ We pick the faulty validators statically, but that should not affect the light client.
+ *)            
+InitToHeight ==
+  /\ Faulty \in SUBSET AllNodes \* some nodes may fail
+  \* pick the validator sets and last commits
+  /\ \E vs, lastCommit \in [Heights -> SUBSET AllNodes]:
+     \E timestamp \in [Heights -> Int]:
+        \* now is at least as early as the timestamp in the last block 
+        /\ \E tm \in Int: now = tm /\ tm >= timestamp[ULTIMATE_HEIGHT]
+        \* the genesis starts on day 1     
+        /\ timestamp[1] = 1
+        /\ vs[1] = AllNodes
+        /\ lastCommit[1] = EmptyNodeSet
+        /\ \A h \in Heights \ {1}:
+          /\ lastCommit[h] \subseteq vs[h - 1]   \* the non-validators cannot commit 
+          /\ TwoThirds(vs[h - 1], lastCommit[h]) \* the commit has >2/3 of validator votes
+          /\ IsCorrectPower(Faulty, vs[h])       \* the correct validators have >2/3 of power
+          /\ timestamp[h] > timestamp[h - 1]     \* the time grows monotonically
+          /\ timestamp[h] < timestamp[h - 1] + TRUSTING_PERIOD    \* but not too fast
+        \* form the block chain out of validator sets and commits (this makes apalache faster)
+        /\ blockchain = [h \in Heights |->
+             [height |-> h,
+              time |-> timestamp[h],
+              VS |-> vs[h],
+              NextVS |-> IF h < ULTIMATE_HEIGHT THEN vs[h + 1] ELSE AllNodes,
+              lastCommit |-> lastCommit[h]]
+             ] \******
+
+
+(* is the blockchain in the faulty zone where the Tendermint security model does not apply *)
+InFaultyZone ==
+  ~FaultAssumption(Faulty, now, blockchain)       
+
+(********************* BLOCKCHAIN ACTIONS ********************************)
+(*
+  Advance the clock by zero or more time units.
+  *)
+AdvanceTime ==
+  \E tm \in Int: tm >= now /\ now' = tm
+  /\ UNCHANGED <<blockchain, Faulty>>
+
+(*
+ One more process fails. As a result, the blockchain may move into the faulty zone.
+ The light client is not using this action, as the faults are picked in the initial state.
+ However, this action may be useful when reasoning about fork detection.
+ *)
+OneMoreFault ==
+  /\ \E n \in AllNodes \ Faulty:
+      /\ Faulty' = Faulty \cup {n}
+      /\ Faulty' /= AllNodes \* at least process remains non-faulty
+  /\ UNCHANGED <<now, blockchain>>
+=============================================================================
+\* Modification History
+\* Last modified Wed Jun 10 14:10:54 CEST 2020 by igor
+\* Created Fri Oct 11 15:45:11 CEST 2019 by igor
diff --git a/light-client/tests/support/model_based/Blockchain_A_1.tla b/light-client/tests/support/model_based/Blockchain_A_1.tla
diff --git a/light-client/tests/support/model_based/LightTests.tla b/light-client/tests/support/model_based/LightTests.tla
@@ -1,6 +1,29 @@
 ------------------------- MODULE LightTests ---------------------------
 
-EXTENDS Lightclient_A_1
+EXTENDS Lightclient_002_draft
+
+(* The light client history, which is the function mapping states 1..nprobes to the record with fields:
+   - verified: the latest verified block in the previous state
+   - current: the block that is being checked in the previous state
+   - now: the time point in the previous state
+   - verdict: the light client verdict in the previous state
+*)
+VARIABLE
+  history
+
+historyState ==
+  [ verified |-> prevVerified, current |-> prevCurrent, now |-> prevNow, verdict |-> prevVerdict ]
+
+(* APALACHE annotations *)
+a <: b == a \* type annotation
+
+InitTest ==
+  /\ Init
+  /\ history = [ n \in {} <: {Int} |-> historyState ]
+
+NextTest ==
+  /\ Next
+  /\ history' = [ n \in DOMAIN history \union {nprobes} |-> IF n = nprobes THEN historyState ELSE history[n]]
 
 TestFailure ==
     /\ state = "finishedFailure"