Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relayer TLA+ specification, connection and channel handshake datagrams #55

Merged
merged 8 commits into from
May 26, 2020
Merged

Relayer TLA+ specification, connection and channel handshake datagrams #55

merged 8 commits into from
May 26, 2020

Conversation

istoilkovska
Copy link
Contributor

@istoilkovska istoilkovska commented Apr 15, 2020
edited
Loading

Description

WIP for #5

Updated Relayer TLA+ specification, that in addition to client update datagrams, now handles connection and channel handshake datagrams.

The whole specification now contains five modules:

  • Relayer.tla (the main module)
  • Environment.tla
  • ClientHandlers.tla
  • ConnectionHandlers.tla
  • ChannelHandlers.tla

The module Relayer.tla contains the specification of the relayer algorithm.
It instantiates the module Environment.tla, which takes care of the chain logic.
The module Environment.tla extends the modules ClientHandlers.tla,
ConnectionHandlers.tla, and ChannelHandlers.tla, which contain definition of
operators that handle client, connection handshake, and channel handshake
datagrams, respectively.

The README.md file contains instructions about how to load the specification in
the TLA+ Toolbox and check the specified invariants and properties with TLC.

For contributor use:

  • Unit tests written
  • Added test to CI if applicable
  • Updated CHANGELOG_PENDING.md
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Updated relevant documentation (docs/) and code comments
  • Re-reviewed Files changed in the Github PR explorer

@istoilkovska istoilkovska changed the title Ilina/tla specs [WIP] Relayer TLA+ specification, connection and channel handshake datagrams Apr 15, 2020
@adizere adizere added connection I: logic Internal: related to the relaying logic I: spec Internal: related to IBC specifications labels Apr 17, 2020
adizere
adizere reviewed Apr 20, 2020
View reviewed changes
Copy link
Member

@adizere adizere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks amazing, though I am a bit surprised by the whopping complexity. The sharing of variables across files (pendingDatagrams) makes it hard to follow. However, this problem is exacerbated on my side since I'm still getting comfortable with TLA+.

verification/spec/relayer/Environment.tla Outdated Show resolved Hide resolved
verification/spec/relayer/Relayer.tla Outdated Show resolved Hide resolved
verification/spec/relayer/Relayer.tla Outdated Show resolved Hide resolved
verification/spec/relayer/Environment.tla Outdated Show resolved Hide resolved
verification/spec/relayer/Environment.tla Show resolved Hide resolved
verification/spec/relayer/ConnectionHandlers.tla Show resolved Hide resolved
verification/spec/relayer/Relayer.tla Outdated Show resolved Hide resolved
This was referenced Apr 20, 2020
Closed
Merged
@ancazamfir
Copy link
Collaborator

Relay calls PendingDatagrams for each (srcChainID, dstChainID) combination in chainIDs but then inside PendingDatagrams we do both (srcChainID, dstChainID) and (dstChainID, srcChainID) so it seems we do the work twice. I think we can simplify PendingDatagrams to only build the datagrams to dstChainID.

milosevic
milosevic reviewed May 19, 2020
View reviewed changes
verification/spec/relayer/ChannelHandlers.tla Outdated
/\ dgr.type = "ChanOpenInit"
/\ dgr.channelID = GetChannelID(chainID)} IN

IF chanOpenInitDgrs /= {} /\ chain.connectionEnd.state /= "UNINIT"
Copy link
Contributor

@milosevic milosevic May 19, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be chain.connectionEnd.channelEnd.state?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this check is for the state of the underlying connection, to make sure it is initiated.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly, there's a line in the ICS04 handlers stating abortTransactionUnless(connection !== null) or abortTransactionUnless(connection.state === OPEN).

milosevic
milosevic reviewed May 19, 2020
View reviewed changes
verification/spec/relayer/Relayer.tla Outdated
\* connection datagrams from dstChainID to srcChainID
LET srcConnectionDatagrams == ComputeConnectionDatagrams(dstChainID, srcChainID) IN
\* connection datagrams from srcChainID to dstChainID
LET dstConnectionDatagrams == ComputeConnectionDatagrams(srcChainID, dstChainID) IN
Copy link
Contributor

@milosevic milosevic May 19, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am not wrong ConnOpenInit will be created for both source and destination chain in case dstConnectionEnd.state = "UNINIT" /\ srcConnectionEnd.state = "UNINIT"? We want non-deterministically to send it only to one of the chain.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fixed now, we are only sending in one direction, i.e., from srcChainID to dstChainID

milosevic
milosevic reviewed May 19, 2020
View reviewed changes
verification/spec/relayer/ClientHandlers.tla Outdated
LET clientUpdatedChain == [
height |-> chain.height,
counterpartyClientHeight |-> IF updateClientHeights /= {}
THEN Max(updateClientHeights)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should store all installed heights, not just the maximum height.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, installing only the maximum height violates liveness.

milosevic
milosevic approved these changes May 19, 2020
View reviewed changes
Copy link
Contributor

@milosevic milosevic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work! Few comments that should probably be addressed in a separate PR:

  • Chain height (environment) should be increased before datagrams are processed.
  • Protocols should manage its state, not chain. For example, connectionEnd should not be part of the chain, but connection handshake protocol.
  • It might be useful to be able to have minimal relayer spec (with a very simple protocol on top) so we can check if relayer satisfies high level properties (for example eventual message delivery)
  • We should always have at least two correct relayer processes and adversarial relayers (probably sufficient to model as adversary network)
  • We probably want to be more precise with respect to management of ids. Ids are owned by the chains and then relayer need to pick right id and to try to create the corresponding client.
  • We probably want to model configuration based relayer, i.e., similar functionality should be modelled using constants
  • I am not sure if counterpartyClientHeight is the best name for this concept. We probably want to emphasise that it is light client state, but we probably only need height as part of it to model important mechanisms.
  • I am not sure if UpdateRelayerClients should be atomic action. I think this should
    be part of the relay functionality.

ancazamfir
ancazamfir approved these changes May 19, 2020
View reviewed changes
Copy link
Collaborator

@ancazamfir ancazamfir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec look great!! Thanks Ilina!

verification/spec/relayer/ChannelHandlers.tla Outdated
/\ dgr.type = "ChanOpenInit"
/\ dgr.channelID = GetChannelID(chainID)} IN

IF chanOpenInitDgrs /= {} /\ chain.connectionEnd.state /= "UNINIT"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this check is for the state of the underlying connection, to make sure it is initiated.

verification/spec/relayer/ChannelHandlers.tla Show resolved Hide resolved
@istoilkovska @adizere
Update verification/spec/relayer/Environment.tla
9121195 
Co-authored-by: Adi Seredinschi <adi@informal.systems>
@adizere adizere mentioned this pull request May 22, 2020
Merged
6 tasks
@istoilkovska istoilkovska merged commit 6e01704 into master May 26, 2020
@istoilkovska istoilkovska deleted the ilina/tla_specs branch May 27, 2020 08:47
@milosevic milosevic changed the title [WIP] Relayer TLA+ specification, connection and channel handshake datagrams Relayer TLA+ specification, connection and channel handshake datagrams Jun 2, 2020
@ancazamfir ancazamfir added this to the 0.5-5mo milestone Jun 10, 2020
@ancazamfir ancazamfir mentioned this pull request Jun 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adizere adizere adizere left review comments

@ancazamfir ancazamfir ancazamfir approved these changes

@milosevic milosevic milosevic approved these changes

@romac romac Awaiting requested review from romac

Assignees
No one assigned
Labels
I: logic Internal: related to the relaying logic I: spec Internal: related to IBC specifications
Projects
None yet
Milestone
0.5-5mo
Development

Successfully merging this pull request may close these issues.
4 participants
@istoilkovska @ancazamfir @milosevic @adizere