Skip to content

Update CheckQuorum and DropIgnoredMessage in ccfraft.tla #7374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Update CheckQuorum and DropIgnoredMessage in ccfraft.tla #7374

wants to merge 4 commits into from

Conversation

cjen1-msft
Copy link
Contributor

I found two places where our spec overapproximates the behaviours of CCF.

First CheckQuorum can always trigger on a leader, so in the case of a single nodeconfiguration it can trigger in the spec but never in practise.

Next the DropIgnoredMessage was allowed to drop messages if they were ignored. We specifically don't ignore RequestVote messages from unknown replicas, while this is allowed by the spec.

Both of these were causing false liveness counterexamples in testing of the prevote changes.

achamayou
achamayou reviewed Oct 20, 2025
View reviewed changes
tla/consensus/ccfraft.tla
CheckQuorum(i) ==
\* Check node is a leader (and therefore has not completed retirement)
/\ leadershipState[i] = Leader
\* There must be an active config which has a replica which is not this node
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other words, there must be backups, if only on the horizon, for it to make sense to check quorum at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not quite, more that the condition will always succeed (thus not triggering checkquorum) unless there is at least one backup. But I'll update the comment to reflect that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think they are the same? "there must be backups" <=> "there is at least one backup"? On the horizon as in, in active configs (but not necessarily committed yet).

achamayou
achamayou reviewed Oct 20, 2025
View reviewed changes
@achamayou achamayou added the run-long-verification Run Long Verification jobs label Oct 20, 2025
@achamayou
Copy link
Member

@cjen1-msft when Model Checking, we pass --disable-check-quorum, which goes through here, here and ultimately here.

The simulation is doing some CheckQuorum though.

eddyashton
eddyashton reviewed Oct 20, 2025
View reviewed changes
@cjen1-msft cjen1-msft marked this pull request as ready for review October 20, 2025 15:07
@cjen1-msft cjen1-msft requested a review from a team as a code owner October 20, 2025 15:07
@Copilot Copilot AI review requested due to automatic review settings October 20, 2025 15:07
Copilot
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes two instances where the TLA+ specification over-approximated CCF's behavior, causing false liveness counterexamples. The changes align the specification more closely with the actual implementation by restricting when CheckQuorum can trigger and when messages can be dropped.

  • Adds a constraint to prevent CheckQuorum from triggering in single-node configurations
  • Prevents DropIgnoredMessage from dropping RequestVoteRequest messages from unknown nodes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@achamayou achamayou achamayou approved these changes

@eddyashton eddyashton eddyashton left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

run-long-verification Run Long Verification jobs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cjen1-msft @achamayou @eddyashton