forked from informalsystems/tendermint-rs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
LightTests.tla
303 lines (257 loc) · 12 KB
/
LightTests.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
------------------------- MODULE LightTests ---------------------------
EXTENDS Lightclient_003_draft
(* The light client history, which is the function mapping states 0..nprobes to the record with fields:
- verified: the latest verified block in the previous state
- current: the block that is being checked in the previous state
- now: the time point in the previous state
- verdict: the light client verdict in the previous state
*)
VARIABLE
\* @type: Int -> [verified: BLOCK, current: BLOCK, now: Int, verdict: Str];
history
\* This predicate extends the LightClient Init predicate with history tracking
InitTest ==
/\ Init
/\ history = [ n \in {0} |->
[ verified |-> prevVerified, current |-> prevCurrent, now |-> prevNow, verdict |-> prevVerdict ]]
\* This predicate extends the LightClient Next predicate with history tracking
NextTest ==
/\ Next
/\ history' = [ n \in DOMAIN history \union {nprobes'} |->
IF n = nprobes' THEN
[ verified |-> prevVerified', current |-> prevCurrent', now |-> prevNow', verdict |-> prevVerdict' ]
ELSE history[n]
]
\* Some useful operators for writing tests
LightBlock(st) == history[st].current
Height(st) == history[st].current.header.height
ValSet(st) == LightBlock(st).header.VS
ValCommits(st) == LightBlock(st).Commits
\* Test an execution that finishes with failure
TestFailure ==
/\ state = "finishedFailure"
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
\* Test an execution that finishes with success
TestSuccess ==
/\ state = "finishedSuccess"
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
\* This test never produces a counterexample; so the model should be corrected
TestFailedTrustingPeriod ==
\E s \in DOMAIN history :
history[s].verdict = "FAILED_TRUSTING_PERIOD"
TwoNotEnoughTrust ==
\E s1, s2 \in DOMAIN history :
/\ s1 /= s2
/\ history[s1].verdict = "NOT_ENOUGH_TRUST"
/\ history[s2].verdict = "NOT_ENOUGH_TRUST"
ThreeNotEnoughTrust ==
\E s1, s2, s3 \in DOMAIN history :
/\ s1 /= s2 /\ s2 /= s3 /\ s1 /= s3
/\ history[s1].verdict = "NOT_ENOUGH_TRUST"
/\ history[s2].verdict = "NOT_ENOUGH_TRUST"
/\ history[s3].verdict = "NOT_ENOUGH_TRUST"
\* Test an execution that finishes with success, and processes two headers with insufficient trust on the way
Test2NotEnoughTrustSuccess ==
/\ state = "finishedSuccess"
/\ TwoNotEnoughTrust
\* Test an execution that finishes with failure, and processes two headers with insufficient trust on the way
Test2NotEnoughTrustFailure ==
/\ state = "finishedFailure"
/\ TwoNotEnoughTrust
\* Test an execution that finishes with success, and processes three headers with insufficient trust on the way
Test3NotEnoughTrustSuccess ==
/\ state = "finishedSuccess"
/\ ThreeNotEnoughTrust
\* Test an execution that finishes with failure, and processes three headers with insufficient trust on the way
Test3NotEnoughTrustFailure ==
/\ state = "finishedFailure"
/\ ThreeNotEnoughTrust
TestNonMonotonicHeight ==
/\ \E s \in DOMAIN history :
\* this is wrong
/\ history[s].current.header.height <= history[s].verified.header.height
\* everything else is correct
/\ history[s].current.header /= history[s].verified.header
/\ history[s].current.header.time > history[s].verified.header.time
/\ history[s].current.header.time < history[s].now
/\ history[s].verified.header.time + TRUSTING_PERIOD > history[s].now
/\ history[s].current.Commits /= {}
/\ history[s].current.Commits \subseteq history[s].current.header.VS
(*
Following three tests have been disabled for now,
please refer issue: https://github.com/informalsystems/tendermint-rs/issues/659
TestEmptyCommitEmptyValset ==
/\ \E s \in DOMAIN history :
\* this is wrong
/\ history[s].current.Commits = {}
/\ ValSet(s) = {}
\* everything else is correct
/\ history[s].current.header /= history[s].verified.header
/\ history[s].current.header.height > history[s].verified.header.height
/\ history[s].current.header.time > history[s].verified.header.time
/\ history[s].current.header.time < history[s].now
/\ history[s].verified.header.time + TRUSTING_PERIOD > history[s].now
TestEmptyCommitNonEmptyValset ==
/\ \E s \in DOMAIN history :
\* this is wrong
/\ history[s].current.Commits = {}
/\ ValSet(s) /= {}
\* everything else is correct
/\ history[s].current.header /= history[s].verified.header
/\ history[s].current.header.height > history[s].verified.header.height
/\ history[s].current.header.time > history[s].verified.header.time
/\ history[s].current.header.time < history[s].now
/\ history[s].verified.header.time + TRUSTING_PERIOD > history[s].now
TestLessThanTwoThirdsCommit ==
/\ \E s \in DOMAIN history :
\* this is wrong
LET CMS == history[s].current.Commits
UVS == history[s].current.header.VS
TVS == history[s].verified.header.VS
IN
/\ history[s].current.header.height > history[s].verified.header.height + 1
/\ CMS /= {}
/\ CMS \subseteq UVS
/\ 3 * Cardinality(CMS) < 2 * Cardinality(UVS)
/\ 3 * Cardinality(CMS \intersect TVS) < Cardinality(TVS)
\* everything else is correct
/\ history[s].current.header /= history[s].verified.header
/\ history[s].current.header.height > history[s].verified.header.height
/\ history[s].current.header.time > history[s].verified.header.time
/\ history[s].current.header.time < history[s].now
/\ history[s].verified.header.time + TRUSTING_PERIOD > history[s].now
*)
\* Time-related tests
\* Test an execution where a header is received from the future
TestHeaderFromFuture ==
/\ \E s \in DOMAIN history :
/\ history[s].now < history[s].current.header.time
/\ history[s].now < history[s].verified.header.time + TRUSTING_PERIOD
\* Test an execution where the untrusted header time is before the trusted header time
TestUntrustedBeforeTrusted ==
/\ \E s \in DOMAIN history :
LET CMS == history[s].current.Commits
UVS == history[s].current.header.VS
IN
/\ history[s].current.header.time < history[s].verified.header.time
/\ history[s].now < history[s].verified.header.time + TRUSTING_PERIOD
/\ CMS /= {}
/\ UVS /= {}
/\ Cardinality(CMS) < Cardinality(UVS)
\* Test an execution where a header is outside the trusting period
TestHeaderNotWithinTrustingPeriod ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s \in DOMAIN history :
/\ history[s].now > history[s].verified.header.time + TRUSTING_PERIOD
/\ history[s].current.header.time < history[s].now
\* Validator set tests
\* Test an execution where the validator sets differ at each step
TestValsetDifferentAllSteps ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \A s1, s2 \in DOMAIN history :
s1 /= s2 =>
history[s1].current.header.VS /= history[s2].current.header.VS
TestHalfValsetChanges ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 3
/\ 2 * Cardinality(ValSet(s1) \intersect ValSet(s2)) < Cardinality(ValSet(s1))
TestHalfValsetChangesVerdictSuccess ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ history[s2].verdict = "SUCCESS"
/\ Cardinality(ValSet(s1)) >= 3
/\ 2 * Cardinality(ValSet(s1) \intersect ValSet(s2)) < Cardinality(ValSet(s1))
TestHalfValsetChangesVerdictNotEnoughTrust ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ history[s2].verdict = "NOT_ENOUGH_TRUST"
/\ Cardinality(ValSet(s1)) >= 3
/\ 2 * Cardinality(ValSet(s1) \intersect ValSet(s2)) < Cardinality(ValSet(s1))
TestValsetDoubles ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 2
/\ Cardinality(ValSet(s2)) = 2 * Cardinality(ValSet(s1))
TestValsetHalves ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 4
/\ Cardinality(ValSet(s1)) = 2 * Cardinality(ValSet(s2))
TestValsetChangesFully ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 2
/\ ValSet(s1) \intersect ValSet(s2) = {}
TestLessThanThirdValsetChanges ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 4
/\ ValSet(s2) /= ValSet(s1)
/\ 3 * Cardinality(ValSet(s2) \ ValSet(s1)) < Cardinality(ValSet(s1))
TestMoreThanTwoThirdsValsetChanges ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 4
/\ 3 * Cardinality(ValSet(s2) \ ValSet(s1)) > 2 * Cardinality(ValSet(s1))
TestOneThirdValsetChanges ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 3
/\ 3 * Cardinality(ValSet(s2) \ ValSet(s1)) = Cardinality(ValSet(s1))
TestTwoThirdsValsetChanges ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ Cardinality(ValSet(s1)) >= 3
/\ 3 * Cardinality(ValSet(s2) \ ValSet(s1)) = 2 * Cardinality(ValSet(s1))
TestLessThanTwoThirdsSign ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s \in DOMAIN history :
/\ history[s].verified.header.time + TRUSTING_PERIOD > history[s].now
\* this is wrong
/\ \E commits \in SUBSET AllNodes:
\E block \in BC!LightBlocks:
/\ 3 * Cardinality(commits) < 2 * Cardinality(ValSet(s))
/\ CopyLightBlockFromChain(block, Height(s))
/\ LightBlock(s) = [ block EXCEPT !.Commits = commits]
TestMoreThanTwoThirdsSign ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s \in DOMAIN history :
3 * Cardinality(ValCommits(s)) >= 2 * Cardinality(ValSet(s))
============================================================================
\* When Apalache is fixed to work with operator params, we should rewrite the validator set tests as shown below
\* A configurable test for two neighbor valsets
TestNeighborValsets(test(_,_)) ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ test(ValSet(s1), ValSet(s2))
\* A configurable test for two neighbor valsets and expected verdict
TestNeighborValsetsVerdict(test(_,_), want_verdict) ==
/\ Cardinality(DOMAIN fetchedLightBlocks) = TARGET_HEIGHT
/\ \E s1, s2 \in DOMAIN history :
/\ s2 = s1 + 1
/\ test(ValSet(s1), ValSet(s2))
/\ history[s2].verdict = want_verdict
HalfValsetChanges(vs1, vs2) ==
/\ Cardinality(vs1) >= 3
/\ 2 * Cardinality(vs1 \intersect vs2) < Cardinality(vs1)
TestHalfValsetChanges == TestNeighborValsets(HalfValsetChanges)
TestHalfValsetChangesVerdictSuccess == TestNeighborValsetsVerdict(HalfValsetChanges, "SUCCESS")
TestHalfValsetChangesVerdictNotEnoughTrust == TestNeighborValsetsVerdict(HalfValsetChanges, "NOT_ENOUGH_TRUST")
ValsetDoubles(vs1, vs2) ==
/\ Cardinality(vs1) >= 2
/\ Cardinality(vs2) = 2 * Cardinality(vs1)
TestValsetDoubles == TestNeighborValsets(ValsetDoubles)
TestValsetDoublesVerdictSuccess == TestNeighborValsetsVerdict(ValsetDoubles, "SUCCESS")
TestValsetDoublesVerdictNotEnoughTrust == TestNeighborValsetsVerdict(ValsetDoubles, "NOT_ENOUGH_TRUST")