Prove VReplicaSet Guarantee Condition #625
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Cody Rivera <codyjr3@illinois.edu>
Signed-off-by: Cody Rivera <codyjr3@illinois.edu>
Signed-off-by: Cody Rivera <codyjr3@illinois.edu>
src/v2/controllers/vreplicaset_controller/proof/liveness/proof.rs
Outdated
Show resolved
Hide resolved
Signed-off-by: Cody Rivera <codyjr3@illinois.edu>
|
Seems that there is a flaky proof? |
|
I find that vreplicaset-admission-verification is purely redundant; there is nothing to verify there... Let me remove it |
Merged
via the queue into
anvil-verifier:main
with commit May 13, 2025
af4fe1c
9 of 10 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces the proof of VRS's guarantee condition, thus completing the local rely-guarantee obligations for our verified ReplicaSet.
Notably, I was able to prove the guarantee condition without the use of history variables. In fact, much of the legwork comes from the invariant
each_vrs_in_reconcile_implies_filtered_pods_owned_by_vrs, which I was able to modify to prove without weak fairness and only with invariants starting frominit(rather than those only true at a later point in the trace).