Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MBT: keep the latest N heights per client in TLA+ model #633

Closed
5 tasks
vitorenesduarte opened this issue Feb 10, 2021 · 7 comments · Fixed by #701
Closed
5 tasks

MBT: keep the latest N heights per client in TLA+ model #633

vitorenesduarte opened this issue Feb 10, 2021 · 7 comments · Fixed by #701
Assignees
@vitorenesduarte

Comments

@vitorenesduarte
Copy link
Contributor

vitorenesduarte commented Feb 10, 2021
edited
Loading

Crate

modules

Problem Definition

The TLA+ model in #601 only keeps a single height per client. The Rust implementation of the mock chain keeps, per client, a ClientState and several ConsensusStates such that the height in the ClientState is the max of the heights in the all the ConsensusStates. Keeping several ConsensusStates allows verifying messages containing proofs with heights lower than the latest height (the one in the ClientState).

Proposal

The TLA+ model should be extended to instead keep the latest N heights per client. (In the current model, N = 1.)

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate milestone (priority) applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@vitorenesduarte vitorenesduarte self-assigned this Feb 10, 2021
@vitorenesduarte vitorenesduarte mentioned this issue Feb 10, 2021
Merged
5 tasks
@ancazamfir
Copy link
Collaborator

ancazamfir commented Feb 11, 2021
edited
Loading

This is a good start. In addition we should model the ClientState, Header and ConsensusState in the TLA for ICS02. Currently all these are equated to a height. I also believe we should have a TLA spec for ICS07 at some point and have MBT tests for ICS02+ICS07 that use Tendermint specific headers and states. We can open other issues for this but want to make sure we do this at some point.

@ancazamfir
Copy link
Collaborator

The implementation keeps, per client, a ClientState and several ConsensusStates such that the height in the ClientState is the max of the heights in the all the ConsensusStates.

Which implementation?

@vitorenesduarte
Copy link
Contributor Author

The implementation keeps, per client, a ClientState and several ConsensusStates such that the height in the ClientState is the max of the heights in the all the ConsensusStates.

Which implementation?

The Rust implementation. I updated the top-level comment clarifying that.

@ancazamfir
Copy link
Collaborator

ancazamfir commented Feb 11, 2021
edited
Loading

The implementation keeps, per client, a ClientState and several ConsensusStates such that the height in the ClientState is the max of the heights in the all the ConsensusStates.

Which implementation?

The Rust implementation. I updated the top-level comment clarifying that.

Maybe we should say the Rust implementation of the mock chain?
And then should we say:
The TLA+ model should be extended to instead keep the latest N consensus states per client. (In the current model, N = 1 and the consensus state is a height.)

I also think the TLA+ model should specify that the create_client includes a client state and a consensus state while the update_client includes a header. There is no distinction among these in the mock chain implementation but this will very likely change. Then the MBT code should take this into account.

@ancazamfir
Copy link
Collaborator

Also, iirc the TLA+ spec keeps multiple heights per client and I thought you confirmed when we talked last time.

@vitorenesduarte
Copy link
Contributor Author

vitorenesduarte commented Feb 11, 2021
edited
Loading

Maybe we should say the Rust implementation of the mock chain?

Done.

And then should we say:
The TLA+ model should be extended to instead keep the latest N consensus states per client. (In the current model, N = 1 and the consensus state is a height.)
Also, iirc the TLA+ spec keeps multiple heights per client and I thought you confirmed when we talked last time.

Yes, that's why I wrote The TLA+ model should be extended to instead keep the latest N heights per client but maybe I misunderstood what's the intention here. Why should it say latest N consensus states per client instead of latest N heights per client? What else should be consensus state be in the TLA+ model?

I also think the TLA+ model should specify that the create_client includes a client state and a consensus state while the update_client includes a header. There is no distinction among these in the mock chain implementation but this will very likely change. Then the MBT code should take this into account.

The TLA+ spec (not the one for MBT) also contains a single height in the create client datagram:
https://github.com/informalsystems/ibc-rs/blob/b654af39c0c658d831cff42ccb11ac5562a43793/docs/spec/tla/ibc-core/ICS02ClientHandlers.tla#L17-L21

@ancazamfir
Copy link
Collaborator

Yes, in create we just add one. But update should add to the client consensus state set. I believe around here: https://github.com/informalsystems/ibc-rs/blob/b654af39c0c658d831cff42ccb11ac5562a43793/docs/spec/tla/ibc-core/ICS02ClientHandlers.tla#L62-L69

@vitorenesduarte vitorenesduarte mentioned this issue Feb 22, 2021
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vitorenesduarte vitorenesduarte

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

MBT for ICS03 informalsystems/hermes
2 participants
@vitorenesduarte @ancazamfir