Skip to content

Commit

Permalink
Inductive invariant validation with Apalache.
Browse files Browse the repository at this point in the history
  • Loading branch information
lemmy committed Sep 6, 2024
1 parent 0836a9f commit b4b0065
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 3 deletions.
13 changes: 13 additions & 0 deletions APApbft.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
SPECIFICATION SpecByz

CONSTANTS
R <- MC_R
ByzR <- MC_ByzR
Tstamps <- MC_Tstamps
Views <- MC_Views
Checkpoints <- MC_Checkpoints

INVARIANTS
TypeOK
SafetyInv
CommittedInv
2 changes: 1 addition & 1 deletion APApbft.tla
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ MC_R == 0..3

\* Set of requests which are byzantine
\* @type: Set(Int);
MC_ByzR == {}
MC_ByzR == MC_R

MC_Tstamps == 1..3

Expand Down
1 change: 1 addition & 0 deletions MCpbft.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ SPECIFICATION SpecByz
CONSTANT
\* Init <- MCInit
ViewChange <- MCViewChange
GenerateO <- MC_GenerateO

CONSTANTS
R <- MC_R
Expand Down
15 changes: 15 additions & 0 deletions MCpbft.tla
Original file line number Diff line number Diff line change
Expand Up @@ -89,4 +89,19 @@ MCInit ==
\/ RInit
/\ Inv

-------

\* This is Heidi's definition of GenerateO moved out of pbft. However, Apalache
\* does not support (mins+1)..maxs when mins and maxs are non-constant.
\* Moreover, Apalache does not support re-defining this non-zero arity operator,
\* which is why the more complex definition is now in pbft and the simpler one
\* below.
\* @type: (Set ($viewchangeMsgs), Int, Int) => Set ($preprepareMsgs);
MC_GenerateO(V,i,v) ==
LET mins == Max0(UNION {{cp.n: cp \in vcm.c}: vcm \in V})
ppms == UNION {{pp.preprepare: pp \in vcm.p}: vcm \in V}
maxs == Max0({ppm.n: ppm \in ppms}) IN
{[v |-> v, p |-> i, n |-> sn, d |-> GetDigest(ppms,sn)] : sn \in (mins+1)..maxs}


=====
7 changes: 5 additions & 2 deletions pbft.tla
Original file line number Diff line number Diff line change
Expand Up @@ -591,8 +591,11 @@ GetDigest(ppms, sn) ==
GenerateO(V,i,v) ==
LET mins == Max0(UNION {{cp.n: cp \in vcm.c}: vcm \in V})
ppms == UNION {{pp.preprepare: pp \in vcm.p}: vcm \in V}
maxs == Max0({ppm.n: ppm \in ppms}) IN
{[v |-> v, p |-> i, n |-> sn, d |-> GetDigest(ppms,sn)] : sn \in (mins+1)..maxs}
maxs == Max0({ppm.n: ppm \in ppms})
\* Apalache does not yet support integer ranges with non-constant bounds:
\* https://github.com/apalache-mc/apalache/blob/main/docs/src/apalache/known-issues.md#integer-ranges-with-non-constant-bounds
apa == { j \in Views : mins+1 <= j /\ j <= maxs} IN
{[v |-> v, p |-> i, n |-> sn, d |-> GetDigest(ppms,sn)] : sn \in apa }

\* Castro & Liskov S4.4:
\* When the primary p of view v+1 receives 2f valid view-change messages for view v+1 from other replicas, it multicasts a (NEW-VIEW,v+1,V,O) message to all other replicas, where V is a set containing the valid view-change messages received by the primary plus the view-change message for v+1 the primary sent (or would have sent), and is a set of pre-prepare messages (without the piggybacked request).
Expand Down

0 comments on commit b4b0065

Please sign in to comment.