8000 mempool: formal specs in Quint and TLA+ of mempool with cache by hvanz · Pull Request #800 · cometbft/cometbft · GitHub

More Web Proxy on the site http://driver.im/

mempool: formal specs in Quint and TLA+ of mempool with cache #800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

hvanz wants to merge 40 commits into main from hernan/mempool-spec

Member

hvanz commented

Contributes to #614

PR checklist

Changelog entry added in .changelog (we use unclog to manage our changelog)
Updated relevant documentation (docs/ or spec/) and code comments


          First working version of a TLA+ spec

203c91e

hvanz added mempool spec labels

hvanz added this to the 2023-Q2 milestone

hvanz self-assigned this


          Improve formatting and comments; slight renaming

9ed296c

hvanz added the wip label

hvanz changed the title ~~mempool: first formal spec~~ mempool: formal specs (WIP)

hvanz added 22 commits

May 9, 2023 10:29


          A few small fixes

8858a08


          First version of quint spec

541852e


          Extract Network module

a6bcdf7


          Move Peers to Network

c42aa80


          Renaming, reordering

dc127a0


          Record tx's height in mempool

2f39367


          Record tx's height in mempool; fix network

a27dd99


          Add Chain module; remove sender variable

8bdd4f0


          tla: Merge requestResponses and requestSenders; step as a tuple


          quint: Add chain; step as a tuple; refactor Network

963f88d


          quint: merge requestResponses and requestSender

1f743b9


          tla: minor refactoring

b6aa85e


          quint: merge mempool and sender; fix isValid and ReceiveRecheckTxResp…

09595a0

…onse


          Use mapRemove and require from basicSpells

f276640


          slight refactoring; comments; more tests

623feaa


          Add mode: Bluespec

c7dbf65


          Fix last commit

4c5731c


          Split quint spec into multiple files

a474969


          renaming

685092c


          Fix height + tests + more

c2c7e4d


          Fix removeFromMempool

3fbbc32


          Add history variables

3157d66

hvanz added 16 commits

May 25, 2023 23:25


          Change error to record

cde8139


          Add mapPut

313c4e9


          more refactoring

bd54f30


          History

31458f5


          Add properties

dfca3c8


          some renaming

1a42002


          A few fixes

a8297a4


          Fix Chain_latestHeight

fc2388f


          Add params module

73d7335


          Replace chooseSome for noMempoolTx

15ecf3d


          Change abciServers into abciServersAsync; rename height

ebe392c


          modules abciServers, testProperties

bfa6bb4


          Add errors module; renaming because of "import as..."

acb4b28


          some fixes, some refactoring, some changes

b21a7d9


          Some fixes to spec and tests

4440d4b


          Add makefile

4b0cce4

otrack reviewed

View reviewed changes

Contributor

otrack left a comment

The Quint specification is accurately following the golang codebase (mempool/reactor.go, mempool/clist_mempool.go) in a very nice and elegant manner.

In the few things, I would recommend to amend/add:

asynchronous ABCI calls
the behavior of consensus upon commit as in state/execution.go
differentiate txs and txsMap (although this one is not really mandatory imho because tx in txs iff tx in txsMap)

Would it be also possible to relate this specification to the high-level one which is in the knowledge base? (See here and PR#7.) There is also a refined version that includes caching.

spec/mempool/v0/quint/mempoolv0.qnt Show resolved Hide resolved

spec/mempool/v0/quint/mempoolv0.qnt

+                  // block it created and rechecks outstanding txs.
+                  // This node is not the proposer: take the block from the chain.
+                  action BlockExecutor_MempoolUpdate_nonProposer(node) = all {

Contributor

otrack

Strictly speaking, upon commit the following logic is applied: mempool.Lock, mempool.FlushAppConn, proxyApp.Commit, mempool.Update then mempool.Unlock. (See state/execution.go#Commit.) I wonder if it would be possible to follow exactly these steps.

Member Author

hvanz

Right. I will add the following to the update actions, to make sure all ABCI requests are processed before updating.

        require(node.ABCI::checkTxRequests().isEmpty()),
        require(node.ABCI::recheckTxRequests().isEmpty()),

This won't make the flush-commit-update steps atomic, as when they are hold by the lock, but it will work.

spec/mempool/v0/quint/mempoolv0.qnt Show resolved Hide resolved

spec/mempool/v0/quint/mempoolv0.qnt

+                  // Auxiliary variables
+                  //--------------------------------------------------------------------------
+                  type Step = str
+                  var _step: { node: NodeId, name: Step, args: str -> str }

Contributor

otrack

Tracking which step was taken during a run is really nice (e.g., to understand why an invariant got broken). I wonder if this could be included as a feature in Quint.

spec/mempool/v0/quint/mempoolv0.qnt


		val noMempoolTx = { tx: "", height: 0, senders: Set() }

		var mempool: NodeId -> Set[MempoolTx]

Contributor

otrack

If we follow to the letter the codebase, then maybe add both txs and txsMap there.

Member Author

hvanz

That would be a deeper level of abstraction. We would need also to refine Set[MempoolTx] to List[MempoolTx]. We will need to do it if we want to find if txs and txsMap are implemented correctly.

spec/mempool/v0/quint/mempoolv0.qnt Show resolved Hide resolved

spec/mempool/v0/quint/mempoolv0.qnt

+                  /* The reactor sends at once a tx in the mempool to all its peers. */
+                  // [Reactor.broadcastTxRoutine]: https://github.com/CometBFT/cometbft/blob/5049f2cc6cf519554d6cd90bcca0abe39ce4c9df/mempool/reactor.go#L132
+                  action P2P_BroadcastTx(node: NodeId): bool = all {

Contributor

otrack

Strictly speaking, there is no such atomic action in mempool/reactor.go.

Member Author

hvanz

Initially I had a P2P_SendTx action but it introduced a lot of additional, unnecessary steps to the trace, one for each peer. Since each peer process the received message when they need to, it doesn't make any real difference to put the message in the peer's inbox all at once.

spec/mempool/v0/quint/base.qnt


		val __Txs = Set("tx1", "tx2", "tx3", "tx4")

		def __isValidAt(tx, h) = or {

Contributor

otrack

Neat idea which permits to introduce some complexity in the execution of transactions at low cost.

Member Author

hvanz

Yeah, though now that we agreed that CheckTx is not deterministic, this is not correct anymore 😅

spec/mempool/v0/quint/abciServers.qnt

+                          (rs) => rs.put(req, (senderId, h, resp)))
+                  // For "Recheck" we send multiple requests at once.
+                  action sendRequestRecheckTxs(nodeId, txs, h) =

Contributor

otrack

If the end goal is to model the golang implementation, then I would go for asynchronous ABCI calls.

Member Author

hvanz

This is another case that can be specified with a deeper level of abstraction.

Member Author

hvanz commented

Closing this PR as this work is moved to another repo and PR: cometbft/knowledge-base#11. Comments by @otrack are addressed there.

Though this spec is certainly useful for eventually applying model-based testing, it's too tied to the v0 implementation, so we would need to keep it up to date with the changes in the code if we maintain it in this repo.

hvanz closed this

hvanz changed the title ~~mempool: formal specs (WIP)~~ mempool: formal specs in Quint and TLA+

hvanz changed the title ~~mempool: formal specs in Quint and TLA+~~ mempool: formal specs in Quint and TLA+ of mempool with cache

hvanz removed the wip label

hvanz mentioned this pull request

Quint spec of the mempool cometbft/knowledge-base#11

Merged

hvanz deleted the hernan/mempool-spec branch

July 26, 2023 14:09

hvanz restored the hernan/mempool-spec branch

July 26, 2023 14:09

hvanz deleted the hernan/mempool-spec branch

December 20, 2024 22:12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

0