microsoft
/
CCF
зеркало из https://github.com/microsoft/CCF.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
3 881 коммит 10 Ветки 297 Теги 836 MiB
Граф коммитов

244 Коммитов

Автор SHA1 Сообщение Дата
Markus Alexander Kuppe c7477234b8
Bug: Why calculate nextIndex based on *old* state of log?! (#5662) 
Co-authored-by: Eddy Ashton <edashton@microsoft.com>
 2023-09-19 15:54:13 +00:00
Markus Alexander Kuppe 5e9a1d098f
Refactor DropResponseWhenNotInState into arity-3 operator. (#5661) 
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
 2023-09-19 07:50:21 -07:00
Markus Alexander Kuppe 93de138399
Refactor IsRcvAppendEntriesRequest to eliminate conjunct that matches the *next* logline. (#5658) 2023-09-15 16:24:01 +00:00
Markus Alexander Kuppe 4f799fa0cf
Validate committable indices (#5649) 2023-09-15 11:47:48 +01:00
Markus Alexander Kuppe 5e4f6d348c
Match next logline iff AE response comes from the same node. (#5657) 2023-09-15 09:12:52 +01:00
Markus Alexander Kuppe dbb38e511a
Move Alias to ccfraft. (#5651) 2023-09-13 11:07:13 +01:00
Markus Alexander Kuppe 408971b576
Support modeling different network guarantees. (#5634) 2023-09-08 18:15:13 +00:00
Markus Alexander Kuppe 98206da08d
matchIndex lower bound for nextIndex (#5630) 2023-09-08 07:29:18 +01:00
Markus Alexander Kuppe a5e5b0a234
Add two high-level liveness properties and a suitable fairness constraints. (#5633) 2023-09-07 14:50:03 -07:00
Markus Alexander Kuppe d37ecd6ca0
Syntactic change to show sender and receive in action labels of TLC counterexamples. (#5631) 
Also enables more fine grained fairness constraints.
 2023-09-07 10:13:40 +01:00
Markus Alexander Kuppe 4a7c951168
matchIndex lower bound for nextIndex (#5614) 2023-09-06 10:28:57 -07:00
Heidi Howard ff4402c981
Adding note to TLA+ spec on message ordering assumptions (#5613) 2023-09-05 14:29:56 +00:00
Markus Alexander Kuppe efdee8a365 Find a *shorter* counter-example. 2023-08-29 10:08:36 +02:00
Markus Alexander Kuppe 32bed6184c TLC will report a bogus violation of the property TraceMatched if TLC runs with more than a single worker. 2023-08-18 10:56:20 +02:00
Markus Alexander Kuppe 9c0228cfdc Trade two almost identical model files for two almost identical configs. 2023-08-10 09:31:01 +02:00
Markus Alexander Kuppe 80b9995235 Refactor state-space constraint into MCccfraft.tla. 2023-08-10 09:31:01 +02:00
Markus Alexander Kuppe a58faa9730
Toward trace validating raft_scenarios/election_while_reconfiguration (#5391) 2023-06-28 15:10:49 +01:00
Markus Alexander Kuppe 4751a8a894 Boilerplate to validate the current TLA+ trace against an older one. 
Depends on 5b3286ba7a

Part of https://github.com/microsoft/CCF/issues/5057
 2023-06-23 14:53:44 -07:00
Markus Alexander Kuppe 976aa693cc TraceStateSpace is vacuously true. 
* The new TraceMatched gives us a counterexample compared to the old
  TraceMatched based on POSTCONDITION
* The new TraceMatched is a hack because we have to force TLC to
  check the property as a liveness prop by adding the nested [],
  which in turn necessitates the disjunct
* Removing the conditionals based on scenarios names makes trace
  validation more robust, at the price of weakening the property by
  accepting one or two successor states at every step

https://github.com/microsoft/CCF/issues/5057
 2023-06-16 15:05:35 -07:00
Markus Alexander Kuppe 7605eaab4c matchIndex is monotonically increasing. 2023-06-16 19:58:37 +01:00
Markus Alexander Kuppe 8f6622bdaa Add MonotonicMatchIndexProp to TLA+ spec. 2023-06-16 19:58:37 +01:00
Markus Alexander Kuppe f4bb4d742f
Add matching of match_idx and sent_idx to trace validation (Traceccfraft.tla). (#5363) 2023-06-16 12:10:39 +00:00
Amaury Chamayou 0adea8e5b2
Another attempt at ignoring RVRs and AERs when not in the right state (#5356) 2023-06-16 11:31:16 +01:00
Amaury Chamayou 9e0e46c41a
Validate all traces, and improve output somewhat (#5355) 2023-06-16 09:17:09 +01:00
Markus Alexander Kuppe 25bf02ed10 Include logline and ts in Alias. 2023-06-01 11:36:06 -07:00
Markus Alexander Kuppe 8c04bf15c5 Decompose sub-action with disjunct into sub-sub-actions. 
Part of https://github.com/microsoft/CCF/issues/5057
 2023-06-01 11:36:06 -07:00
Markus Alexander Kuppe 7eb28b51ab
Strengthen trace validation by tightening lower bound of TraceAppendE… (#5319) 
https://github.com/microsoft/CCF/issues/5057
 2023-05-31 10:05:35 -07:00
Markus Alexander Kuppe 467fa03c57 Include log's timestamp in trace spec. 
https://github.com/microsoft/CCF/issues/5057
 2023-05-30 18:21:21 -07:00
Markus Alexander Kuppe 4d76fa1610 Replace messages with Messages. 
Left-over of c2208dc6ee
 2023-05-30 17:23:50 -07:00
Markus Alexander Kuppe c84ef8a60a
Make it explicit that constant Nil \notin Servers. (#5294) 2023-05-22 10:37:25 -07:00
Markus Alexander Kuppe 1532293717
Remove outdate trace validation action. (#5281) 
The "send_request_vote_response" disjunct is reported as another "IsRcvRequestVoteRequest" action with zero coverage.

Refactoring of https://github.com/microsoft/CCF/issues/5057
 2023-05-19 09:17:50 +01:00
Heidi Howard 80274ca82e
Swapping `RestrictPred` for `RestrictDomain` from TLA+ community modules (#5279) 2023-05-18 17:22:56 +01:00
Markus Alexander Kuppe e0ba91d3e5
Change Traceccfraft validation from using an action constraint to using a next-state relation approach. (#5255) 
https://github.com/microsoft/CCF/issues/5057
 2023-05-10 12:18:27 +00:00
Markus Alexander Kuppe b35e3f4615
Don't blindly trust copilot. (#5256) 
Fixes bug causing state-space explosion introduced in 9356212463
 2023-05-09 21:13:34 -07:00
Markus Alexander Kuppe 9356212463 Refactor (flatten) SignCommittableMessages. 
https://github.com/microsoft/CCF/issues/5057
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe c42fcd14e8 Refactor (simplify) defintion of AppendEntriesResponse reply. 
https://github.com/microsoft/CCF/issues/5057
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe b1fdb3a19a Strengthen definition of IsAppendEntriesRequest. 
https://github.com/microsoft/CCF/issues/5057
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe b7ef9b04f9 Towards validating tests/raft_scenarios/fancy_election.2. 
Validation fails at line 135 (ts 440) without this change and at line 278 (ts 849) with this change:

<<"Failed matching the trace traces3/fancy_election.2.ndjson to (a prefix of) a behavior:", [msg |-> [packet |-> [msg |-> "raft_request_vote", term |-> 3, last_committable_idx |-> 4, term_of_last_committable_idx |-> 1], function |-> "send_request_vote", state |-> [node_id |-> "0", leadership_state |-> "Candidate", commit_idx |-> 2, current_view |-> 3, last_idx |-> 4, membership_state |-> "Active", new_view_idx |-> 0, watermark_idx |-> 2], to_node_id |-> "4"], tag |-> "raft_trace", level |-> "debug", h_ts |-> "440", thread_id |-> "100", file |-> "../src/consensus/aft/raft.h", number |-> "1475"], "TLA+ debugger breakpoint hit count 135">>  FALSE
Error: Assumption line 436, col 5 to line 437, col 22 of module Traceccfraft is false.

<<"Failed matching the trace traces3/fancy_election.2.ndjson to (a prefix of) a behavior:", [msg |-> [packet |-> [msg |-> "raft_append_entries_response", term |-> 4, success |-> "FAIL", last_log_idx |-> 2], function |-> "recv_append_entries_response", state |-> [node_id |-> "4", leadership_state |-> "Leader", commit_idx |-> 0, current_view |-> 4, last_idx |-> 4, membership_state |-> "Active", new_view_idx |-> 0, watermark_idx |-> 4], from_node_id |-> "0"], tag |-> "raft_trace", level |-> "debug", h_ts |-> "849", thread_id |-> "100", file |-> "../src/consensus/aft/raft.h", number |-> "1344"], "TLA+ debugger breakpoint hit count 278">>  FALSE
Error: Assumption line 436, col 5 to line 437, col 22 of module Traceccfraft is false.
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe fb3973dabb Strengthen Traceccfraft validation. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe ac17eb96d7 Include name of jsonfile in error message. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe a7cbc18b6e Make it possible to copy&paste states from an error trace into the spec. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe ec45d5d3e8 Globally assert that the local state of nodes not matching the log line do *not* change. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe 92d30d3f5b Cannot assert currentTerm. 
The assert above does not work because the lookahead is not deep enough if multiple loglines describe a single step.  For example, the three loglines might be validated by action-composing three spec actions, asserting the logline of the first and second here but the third logline is the one where the currentTerm changes.  Unless we introduce a bigger lookahead (conceptually logline'', logline''', ...), we cannot assert the currentTerm here.
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe 428f34854a Assert a node's currentTerm at every step. 
(Reveals inconsistencies in raft.h logging).
 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe 3250f56b52 Add Debug defs. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe 27ad98885f Add debugging definitions. 2023-05-08 09:27:39 -07:00
Markus Alexander Kuppe af390d83f9
Tame state-space explosion (#5250) 
* Remove all instances of the `messagesSent` "state constraint variable"
* Limit the number of concurrent `AppendEntries` messages
* Refactor the definition for the updated value of `nextIndex`

https://github.com/microsoft/CCF/issues/5057
 2023-05-05 23:00:32 +01:00
Markus Alexander Kuppe 5301f6739f
Validate tests/raft_scenarios/bad_network, fancy_election.1, and suffix_collision.1 (#5223) 
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
 2023-05-02 16:26:41 +00:00
Markus Alexander Kuppe 61ec90c7e3
Fix TraceStateSpace that has been vacuously true since https://github… (#5222) 2023-04-26 10:19:15 -07:00
Amaury Chamayou 4c6ebeebc4
Raft tracing (#5201) 2023-04-26 13:04:04 +01:00
Heidi Howard 796553fe1d
Fix for `MoreUpToDateCorrectInv` (#5209) 2023-04-26 10:15:49 +00:00
Heidi Howard 08035fac0e
Update `LogInv` in the TLA+ spec (#5206) 2023-04-26 11:05:47 +01:00
Amaury Chamayou d71d0a8a53
Remove unused membership states (#5207) 2023-04-25 18:42:38 +01:00
Markus Alexander Kuppe b5e27b0213
Move all trace validation logging into raft.h (#5200) 2023-04-24 18:30:15 +00:00
Heidi Howard b55e559b30
Spring clean of `ccfraft.tla` (#5197) 2023-04-21 18:35:38 +01:00
Heidi Howard b46d392d79
Expanding TLA+ CI (#5196) 2023-04-21 16:38:43 +00:00
Markus Alexander Kuppe 9f8833d41a
Regenerate *.ndjson files to logically rebase with latest code changes. (#5193) 2023-04-20 14:31:09 -07:00
Heidi Howard 2e7c823af7
Update reconfiguration logic in TLA+ specification (#5173) 2023-04-20 16:03:31 +01:00
Markus Alexander Kuppe c2208dc6ee
Validate several happy-path scenarios in `tests/raft_scenarios/`. (#5187) 2023-04-19 19:28:00 +01:00
Heidi Howard 88fab46f63
Trying some bonus properties (#5182) 2023-04-19 09:28:57 +01:00
Markus Alexander Kuppe a9477135e3
Model AppendEntries RPC with more than one entry s.t. the leader can … (#5154) 2023-04-14 09:59:05 -07:00
Heidi Howard dffb8bf622
Monotonic commit index (#5172) 2023-04-14 08:29:26 +01:00
Heidi Howard 2057635fb7
TLA+ spec - each reconfiguration must change the set of servers (#5168) 
Co-authored-by: Markus Alexander Kuppe <github.com@lemmster.de>
Co-authored-by: Amaury Chamayou <amaury@xargs.fr>
 2023-04-13 14:39:34 +01:00
Markus Alexander Kuppe 3000670a64
Allow sending empty AppendEntries message. (#5150) 2023-03-30 07:38:18 +01:00
Amaury Chamayou bd991094ea
Remove unnecessary condition (#5128) 
Co-authored-by: Markus Alexander Kuppe <github.com@lemmster.de>
 2023-03-22 18:14:10 +00:00
Markus Alexander Kuppe 1b57244ce6
(Raft) Node without configuration can become primary/leader #4806 (#4807) 2023-02-27 08:14:43 +00:00
Markus Alexander Kuppe 4a468588b9
A pending node that becomes part of any configuration immediately transitions to Follower state. (#4928) 2023-02-03 17:26:49 +00:00
Markus Alexander Kuppe d6cb71e2d0
Pending nodes must not be part of a configuration. (#4867) 2023-01-31 09:38:16 +00:00
Heidi Howard 5d720ddab5
Fixing QuorumLogInv in TLA+ spec (#4859) 2023-01-31 09:21:07 +00:00
Markus Alexander Kuppe 21e0d911de
Nodes may not rejoin a configuration. (#4868) 2023-01-30 17:35:12 +00:00
Markus Alexander Kuppe 280f0a8d93
Polish instructions to run simulation. (#4873) 2023-01-21 20:27:24 +00:00
Markus Alexander Kuppe 4a68e905b6
Deadlock after some 20 steps with two, three, four Nodes (#4812) 2023-01-11 09:24:07 +00:00
Markus Alexander Kuppe 962c0a2489
Install wget if install_deps.py script is executed in default codespace. (#4802) 2023-01-06 10:15:28 +00:00
Markus Alexander Kuppe f09d5408a3
Decompose `Receive` action to see sub-action names in counterexamples. (#4791) 2023-01-05 15:23:26 +00:00
Markus Alexander Kuppe 1e2708f7c5
Bias random simulation to forward-progress actions. (#4658) 2022-12-01 18:21:49 +00:00
Markus Alexander Kuppe 1fadc740e8
Check for deadlocks when simulating the spec without state- or action… (#4655) 2022-11-29 09:39:11 +00:00
Markus Alexander Kuppe d0ccf76da1
Add comments for spec constants. (#4653) 2022-11-28 18:11:49 +00:00
Amaury Chamayou b69ea72936
Simplify tla spec page (#4644) 2022-11-28 14:38:43 +00:00
Markus Alexander Kuppe fbc062c323
Simulate ccfraft spec with TLC for five nodes... (#4552) 2022-11-15 20:25:56 +00:00
Dominic Ayre 9a1ef3baca
Fix bug fetching deps for TLA and call during dev container setup (#4523) 2022-11-14 12:08:03 +00:00
Heidi Howard 4631959e77
In TLA+ spec, Raft leader should only advance its commit index in current term (#4485) 2022-11-08 18:10:06 +00:00
Markus Alexander Kuppe a5d0dce264
Exclude messagesSent variable s.t. two states are considered equal if they only differ in the number of messages sent. (#4471) 2022-11-08 11:08:33 +00:00
Markus Alexander Kuppe 7041ef31dc
Remember node and log index instead of having TLC hang on to a copy of a prefix of some node's log. (#4470) 2022-11-08 10:47:58 +00:00
Markus Alexander Kuppe 483d1c10a0
Remove unused variable votesSent. (#4439) 2022-11-01 21:50:22 +00:00
Markus Alexander Kuppe 12ebbb2ef6
Rename currentConfigurations to configurations and model value as `[ Servers -> [ Nat -> SUBSET Servers ] ]` instead of `[ Servers -> Seq(<<Nat, SUBSET Server>>)`. (#4438) 2022-11-01 21:30:55 +00:00
Markus Alexander Kuppe 69b0686e8a
No need to intersect with config_server if agree_server is defined in… … terms of config_server. (#4437) 
Co-authored-by: Heidi Howard <1835251+heidihoward@users.noreply.github.com>
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
 2022-11-01 11:36:01 +00:00
Markus Alexander Kuppe 122d9ffd79
Minor refactorings of TLA+ spec (#4436) 2022-11-01 11:10:15 +00:00
Markus Alexander Kuppe 7f73fe55a0
Another subset of small improvements of TLA+ specification listed in #4264 (#4411) 2022-10-31 23:34:10 +00:00
Heidi Howard f6d3b2c442
TLA+ at the push of a button (#4420) 2022-10-28 11:17:15 +01:00
Markus Alexander Kuppe dbad39864a
Subset of small improvements of TLA+ specification listed in #4264 (#4363) 2022-10-24 19:57:17 +01:00
Heidi Howard 5f816ca077
Fixing TLA+ specifications (#3965) 2022-10-11 22:17:51 +01:00
Heidi Howard b8f9c6d913
Fixes to reduced state space TLA+ specification (#3881) 2022-05-24 15:03:53 +00:00
Heidi Howard 2a048e2ef9
updating URL of tla2tools in download_or_update.sh (#3838) 2022-05-13 18:18:47 +01:00
Fritz Alder a03608e429
TLA+ model of CCF's Raft (#2821) 2021-07-23 09:30:51 +01:00