zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
177 Commits
183 Branches
291 MiB
Tree: 24222c5855
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '24222c5855'
${ noResults }
tendermint/spec/light-client/accountability/TendermintAccDebug_004_draf...

100 lines
4.0 KiB
Raw Normal View History

Computing attack types (#232) Add light attack evidence handling
4 years ago
 
  1. ------------------ MODULE TendermintAccDebug_004_draft -------------------------
  2. (*
  3.  A few definitions that we use for debugging TendermintAcc3, which do not belong
  4.  to the specification itself.
  5.  
  6.  * Version 3. Modular and parameterized definitions.
  7. 

  8.  Igor Konnov, 2020.
  9.  *)
  10. 

  11. EXTENDS TendermintAccInv_004_draft
  12. 

  13. \* make them parameters?
  14. NFaultyProposals == 0   \* the number of injected faulty PROPOSE messages
  15. NFaultyPrevotes == 6    \* the number of injected faulty PREVOTE messages
  16. NFaultyPrecommits == 6  \* the number of injected faulty PRECOMMIT messages
  17. 

  18. \* Given a set of allowed messages Msgs, this operator produces a function from
  19. \* rounds to sets of messages.
  20. \* Importantly, there will be exactly k messages in the image of msgFun.
  21. \* We use this action to produce k faults in an initial state.
  22. ProduceFaults(msgFun, From, k) ==
  23.     \E f \in [1..k -> From]:
  24.         msgFun = [r \in Rounds |-> {m \in {f[i]: i \in 1..k}: m.round = r}]
  25. 

  26. \* As TLC explodes with faults, we may have initial states without faults    
  27. InitNoFaults ==
  28.     /\ round = [p \in Corr |-> 0]
  29.     /\ step = [p \in Corr |-> "PROPOSE"]
  30.     /\ decision = [p \in Corr |-> NilValue]
  31.     /\ lockedValue = [p \in Corr |-> NilValue]
  32.     /\ lockedRound = [p \in Corr |-> NilRound]
  33.     /\ validValue = [p \in Corr |-> NilValue]
  34.     /\ validRound = [p \in Corr |-> NilRound]
  35.     /\ msgsPropose = [r \in Rounds |-> EmptyMsgSet]
  36.     /\ msgsPrevote = [r \in Rounds |-> EmptyMsgSet]
  37.     /\ msgsPrecommit = [r \in Rounds |-> EmptyMsgSet]
  38.     /\ evidence = EmptyMsgSet
  39. 

  40. (*
  41.  A specialized version of Init that injects NFaultyProposals proposals,
  42.  NFaultyPrevotes prevotes, NFaultyPrecommits precommits by the faulty processes
  43.  *)
  44. InitFewFaults ==
  45.     /\ round = [p \in Corr |-> 0]
  46.     /\ step = [p \in Corr |-> "PROPOSE"]
  47.     /\ decision = [p \in Corr |-> NilValue]
  48.     /\ lockedValue = [p \in Corr |-> NilValue]
  49.     /\ lockedRound = [p \in Corr |-> NilRound]
  50.     /\ validValue = [p \in Corr |-> NilValue]
  51.     /\ validRound = [p \in Corr |-> NilRound]
  52.     /\ ProduceFaults(msgsPrevote',
  53.                      SetOfMsgs([type: {"PREVOTE"}, src: Faulty, round: Rounds, id: Values]),
  54.                      NFaultyPrevotes)
  55.     /\ ProduceFaults(msgsPrecommit',
  56.                      SetOfMsgs([type: {"PRECOMMIT"}, src: Faulty, round: Rounds, id: Values]),
  57.                      NFaultyPrecommits)
  58.     /\ ProduceFaults(msgsPropose',
  59.                      SetOfMsgs([type: {"PROPOSAL"}, src: Faulty, round: Rounds,
  60.                                 proposal: Values, validRound: Rounds \cup {NilRound}]),
  61.                      NFaultyProposals)
  62.     /\ evidence = EmptyMsgSet
  63. 

  64. \* Add faults incrementally
  65. NextWithFaults ==
  66.     \* either the protocol makes a step
  67.     \/ Next
  68.     \* or a faulty process sends a message
  69.     \//\ UNCHANGED <<round, step, decision, lockedValue,
  70.                      lockedRound, validValue, validRound, evidence>>
  71.       /\ \E p \in Faulty:
  72.          \E r \in Rounds:
  73.            \//\ UNCHANGED <<msgsPrevote, msgsPrecommit>>
  74.              /\ \E proposal \in ValidValues \union {NilValue}:
  75.                 \E vr \in RoundsOrNil:
  76.                   BroadcastProposal(p, r, proposal, vr)
  77.            \//\ UNCHANGED <<msgsPropose, msgsPrecommit>>
  78.              /\ \E id \in ValidValues \union {NilValue}:
  79.                   BroadcastPrevote(p, r, id)
  80.            \//\ UNCHANGED <<msgsPropose, msgsPrevote>>
  81.              /\ \E id \in ValidValues \union {NilValue}:
  82.                   BroadcastPrecommit(p, r, id)
  83. 

  84. (******************************** PROPERTIES  ***************************************)
  85. \* simple reachability properties to see that the spec is progressing
  86. NoPrevote == \A p \in Corr: step[p] /= "PREVOTE" 
  87. 

  88. NoPrecommit == \A p \in Corr: step[p] /= "PRECOMMIT"   
  89. 

  90. NoValidPrecommit ==
  91.     \A r \in Rounds:
  92.       \A m \in msgsPrecommit[r]:
  93.         m.id = NilValue \/ m.src \in Faulty
  94. 

  95. NoHigherRounds == \A p \in Corr: round[p] < 1
  96. 

  97. NoDecision == \A p \in Corr: decision[p] = NilValue                    
  98. 

  99. =============================================================================    
  100.