-
Notifications
You must be signed in to change notification settings - Fork 352
/
Copy pathICS3Module.tla
580 lines (460 loc) · 21.9 KB
/
ICS3Module.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
-------------------------- MODULE ICS3Module ------------------------------
(***************************************************************************
This module is part of the TLA+ specification for the
IBC Connection Handshake protocol (ICS3).
This module captures the actions and operators of the ICS3 protocol.
Typically, it is an IBC module running on a chain that would implement
the logic in this TLA+ module, hence the name "ICS3Module".
sometimes abbreviated to "chModule" or "chm".
This module deals with a high-level spec of the ICS3 protocol, so it is
a simplification with respect to ICS3 proper in several regards:
- the modules assumes to run on a chain which we model as a simple
advancing height, plus a few more critical fields (see the 'store'),
but without any state (e.g., blockchain, transactions, consensus core);
- we model a single connection; establishing multiple connections is not
possible;
- we do not perform any cryptographic proof verifications;
- the abstractions we use are higher-level, and slightly different from
the ones in ICS3 (see e.g., ConnectionEnd and Connection records).
- the client colocated with the module is simplified, comprising only
a set of heights (not the actual blockchain headers).
***************************************************************************)
EXTENDS Naturals, FiniteSets, Sequences, ICS3Utils, ICS3Types
CONSTANTS MaxChainHeight, \* Maximum height of the local chain.
ConnectionIDs, \* The set of valid connection IDs.
ClientIDs, \* The set of valid client IDs.
MaxBufLen, \* Maximum length of the input and output buffers.
MaxVersionNr, \* Maximum version number
ChainID, \* The chainID
VersionPickMode \* the mode for picking versions
ASSUME Cardinality(ConnectionIDs) >= 1
ASSUME Cardinality(ClientIDs) >= 1
VARIABLES
(******************************* Store *****************************
The store record of a chain contains the following fields:
- chainID -- a string.
Stores the identifier of the chain where this module executes.
- latestHeight -- a natural number in the range 1..MaxHeight.
Describes the current height of the chain.
- connection -- a connection record.
Captures all the details of the connection on this chain.
For a full description of a connection record, see the
'Environment.Connections' set.
- client -- a client record.
Specifies the state of the client running on this chain.
A client record contains the following fields:
- consensusHeights -- a set of heights.
Stores the set of all heights (i.e., consensus states) that this
client observed.
- clientID -- a string.
The identifier of the client.
- latestHeight -- a natural number in the range 1..MaxHeight.
Stores the latest height among all the heights in consensusHeights.
For more details on how clients are initialized, see the operator
ICS3Types.InitClients.
***************************************************************************)
store,
(* A buffer (Sequence) holding any message(s) incoming to this module. *)
inBuf,
(* A buffer (Sequence) holding outbound message(s) from this module. *)
outBuf
moduleVars ==
<<inBuf, outBuf, store>>
(***************************************************************************
Helper operators.
***************************************************************************)
(* Simple computation returning the maximum out of two numbers 'a' and 'b'.
*)
MAX(a, b) ==
IF a > b THEN a ELSE b
MAXSet(S) ==
CHOOSE x \in S: \A y \in S: y <= x
(* Validates a connection parameter.
Returns true if 'para' matches the parameters in the local connection,
and returns false otherwise.
*)
ValidConnectionParameters(para) ==
LET local == store.connection.parameters.localEnd
remote == store.connection.parameters.remoteEnd
IN /\ local.connectionID = para.localEnd.connectionID
/\ remote.connectionID = para.remoteEnd.connectionID
/\ local.clientID = para.localEnd.clientID
/\ remote.clientID = para.remoteEnd.clientID
(* Validates a connection parameter local end.
Expects as input a ConnectionParameter 'para' and returns true or false.
This is a basic validation step, making sure that the local end in 'para'
is valid with respect to module-level constants ConnectionIDs and ClientIDs.
*)
ValidLocalEnd(para) ==
/\ para.localEnd.connectionID \in ConnectionIDs
/\ para.localEnd.clientID \in ClientIDs
(* Operator for reversing the connection ends.
Given a ConnectionParameters record 'para', returns a new set
of parameters where the local and remote ends are
flipped (i.e., reversed).
*)
FlipConnectionParameters(para) ==
[localEnd |-> para.remoteEnd,
remoteEnd |-> para.localEnd]
(* Operator for constructing a connection proof.
The connection proof is used to demonstrate to another chain that the
local store on this chain comprises a connection in a certain state.
*)
GetConnProof(myConnection) ==
[connection |-> myConnection]
(* Operator for constructing a client proof.
*)
GetClientProof ==
[latestHeight |-> store.client.latestHeight,
consensusHeights |-> store.client.consensusHeights]
(* Verification of a connection proof.
This is a state predicate returning true if the following holds:
- the state of connection in this proof should match with input parameter
'expectedState'; and
- the connection parameters in this proof should match with the flipped version
of the input 'expectedParams'.
*)
VerifyConnProof(cp, expectedState, expectedParams) ==
/\ cp.connection.state = expectedState
/\ cp.connection.parameters = FlipConnectionParameters(expectedParams)
(* Verification of a client proof.
This is a state predicate returning true if the following holds: the height
reported in the client proof must not exceed the current (latestHeight) of
this chain.
*)
VerifyClientProof(cp) ==
/\ cp.latestHeight <= store.latestHeight (* Consistency height check. *)
/\ cp.latestHeight \in cp.consensusHeights (* Client verification step. *)
(* Get all possible version sequences from a set of versions.
*)
VersionSetAsVersionSequences(S) ==
LET E == 1..Cardinality(S) IN
LET AllSeqs == [E -> S] IN
{seq \in AllSeqs : seq \in AllVersionSeqs}
(***************************************************************************
Connection Handshake Module actions & operators.
***************************************************************************)
(* Modifies the local store.
Replaces the connection in the store with the argument 'newCon'.
This action also advances the chain height.
*)
NewStore(newCon) ==
[store EXCEPT !.connection = newCon,
!.latestHeight = @ + 1]
(**********************************
ICS3 spec related to Init messages.
**********************************)
(* State predicate, guarding the handler for the Init msg.
If any of these preconditions does not hold, the message
is dropped.
*)
PreconditionsInitMsg(m) ==
/\ ValidLocalEnd(m.parameters) (* Basic validation of localEnd in parameters. *)
/\ store.connection.state = "UNINIT"
(* Reply message to an ICS3MsgInit message.
*)
MsgInitReply(chainStore) ==
LET conn == chainStore.connection
myConnProof == GetConnProof(conn)
myClientProof == GetClientProof
replyMsg == [parameters |-> FlipConnectionParameters(conn.parameters),
type |-> "ICS3MsgTry",
proofHeight |-> chainStore.latestHeight,
connProof |-> myConnProof,
clientProof |-> myClientProof,
version |-> conn.version] IN
replyMsg
(* Handles a "ICS3MsgInit" message 'm'.
Primes the store.connection to become initialized with the parameters
specified in 'm'. Also creates a reply message, enqueued on the outgoing
buffer. This reply message will include proofs that match the height of
this chain (i.e., current store.latestHeight + 1).
*)
HandleInitMsg(m) ==
LET newCon == [parameters |-> m.parameters,
state |-> "INIT",
version |-> store.connection.version]
newStore == NewStore(newCon) IN
IF PreconditionsInitMsg(m)
THEN {newStore}
ELSE {store}
(**********************************
ICS3 spec related to Try messages.
**********************************)
(* State predicate, guarding the handler for the Try msg.
If any of these preconditions does not hold, the message
is dropped.
*)
PreconditionsTryMsg(m) ==
/\ \/ /\ store.connection.state = "UNINIT"
/\ ValidLocalEnd(m.parameters)
\/ /\ store.connection.state = "INIT"
/\ ValidConnectionParameters(m.parameters)
/\ m.proofHeight \in store.client.consensusHeights (* Consistency height check. *)
/\ VerifyConnProof(m.connProof, "INIT", m.parameters)
/\ VerifyClientProof(m.clientProof)
\* check if the locally stored versions overlap with the versions sent in
\* the ICS3MsgTry message
/\ VersionSequencesOverlap(store.connection.version, m.version)
(* Pick a version depending on the value of the constant VersionPickMode
- if VersionPickMode = "onTryNonDet" or VersionPickMode = "overwrite"
-> pick a version from (m.version \intersect store.connection.version) non-deterministically,
send the picked version to counterparty in ICS3MsgAck
- if VersionPickMode = "onTryNonDet"
-> pick a version from (m.version \intersect store.connection.version) deterministically
(e.g., maximum), send the picked version to counterparty in ICS3MsgAck
- otherwise (version picking is done when handling ICS3MsgAck)
-> send the value of the intersection (m.version \intersect store.connection.version)
to counterparty in ICS3MsgConfirm
*)
PickVersionOnTry(m) ==
\* get a set of feasible versions --
\* the intersection between the local and the versions sent in the message
LET feasibleVersions == SequenceAsSet(m.version)
\intersect
SequenceAsSet(store.connection.version) IN
IF feasibleVersions /= {}
THEN IF \/ VersionPickMode = "overwrite"
\/ VersionPickMode = "onTryNonDet"
\* the version is picked non-deterministically
THEN {<<newVersion>> : newVersion \in feasibleVersions}
ELSE IF VersionPickMode = "onTryDet"
\* the version is picked deterministically,
\* using MAXSet as a deterministic choice function
THEN {<<MAXSet(feasibleVersions)>>}
\* the version will be picked when handling ICS3MsgAck,
\* send a sequence which consists of elements in the
\* set feasibleVersions
ELSE VersionSetAsVersionSequences(feasibleVersions)
ELSE {}
(* Reply message to an ICS3MsgTry message.
*)
MsgTryReply(chainStore) ==
LET conn == chainStore.connection
myConnProof == GetConnProof(conn)
myClientProof == GetClientProof
replyMsg == [parameters |-> FlipConnectionParameters(conn.parameters),
type |-> "ICS3MsgAck",
proofHeight |-> chainStore.latestHeight,
connProof |-> myConnProof,
clientProof |-> myClientProof,
version |-> conn.version] IN
replyMsg
(* Handles a "ICS3MsgTry" message.
*)
HandleTryMsg(m) ==
\* create a set of new connections, whose versions
\* were picked in OnTryPickVersion
LET newConnSet == [parameters : {m.parameters},
state : {"TRYOPEN"},
version : PickVersionOnTry(m)]
newStoreSet == {NewStore(newConn) : newConn \in newConnSet} IN
IF /\ PreconditionsTryMsg(m)
/\ newStoreSet /= {}
THEN newStoreSet
ELSE {store}
(**********************************
ICS3 spec related to Ack messages.
**********************************)
(* State predicate, guarding the handler for the Ack msg.
*)
PreconditionsAckMsg(m) ==
/\ \/ store.connection.state = "INIT"
\/ store.connection.state = "TRYOPEN"
/\ ValidConnectionParameters(m.parameters)
/\ m.proofHeight \in store.client.consensusHeights (* Consistency height check. *)
/\ VerifyConnProof(m.connProof, "TRYOPEN", m.parameters)
/\ VerifyClientProof(m.clientProof)
/\ IF VersionPickMode /= "overwrite"
\* check if the locally stored versions overlap with the versions sent in
\* the ICS3MsgAck message if VersionPickMode /= "overwrite"
THEN VersionSequencesOverlap(store.connection.version, m.version)
\* if VersionPickMode = "overwrite", do not check for version overlap
ELSE TRUE
(* Pick a version depending on the value of the constant VersionPickMode
- if VersionPickMode = "overwrite"
-> take the picked version from the message
- if VersionPickMode = "onAckNonDet"
-> pick a version from (m.version \intersect store.connection.version) non-deterministically,
send the picked version to counterparty in ICS3MsgConfirm
- if VersionPickMode = "onAckDet"
-> pick a version from (m.version \intersect store.connection.version) deterministically
(e.g., maximum), send the picked version to counterparty in ICS3MsgConfirm
- otherwise (version picking was done when handling ICS3MsgTry)
-> use m.version if (m.version \intersect store.connection.version) is not empty
(checked in PreconditionsAckMsg)
*)
PickVersionOnAck(m) ==
\* get a set of feasible versions --
\* the intersection between the local and the versions sent in the message
LET feasibleVersions == SequenceAsSet(m.version)
\intersect
SequenceAsSet(store.connection.version) IN
IF VersionPickMode = "overwrite"
\* take the picked version from the message
THEN {m.version}
ELSE IF feasibleVersions /= {}
THEN IF VersionPickMode = "onAckNonDet"
\* the version is picked non-deterministically
THEN {<<newVersion>> : newVersion \in feasibleVersions}
ELSE IF VersionPickMode = "onAckDet"
\* the version is picked deterministically,
\* using MAXSet as a deterministic choice function
THEN {<<MAXSet(feasibleVersions)>>}
\* the version was picked when handling ICS3MsgTry,
\* use the picked version from the ICS3MsgAck message
ELSE {m.version}
ELSE {}
(* Reply message to an ICS3MsgAck message.
*)
MsgAckReply(chainStore) ==
LET conn == chainStore.connection
myConnProof == GetConnProof(conn)
replyMsg == [parameters |-> FlipConnectionParameters(conn.parameters),
proofHeight |-> chainStore.latestHeight,
type |-> "ICS3MsgConfirm",
connProof |-> myConnProof,
version |-> conn.version] IN
replyMsg
(* Handles a "ICS3MsgAck" message.
*)
HandleAckMsg(m) ==
LET newConnSet == [parameters : {m.parameters},
state : {"OPEN"},
version : PickVersionOnAck(m)]
newStoreSet == {NewStore(newConn) : newConn \in newConnSet} IN
IF /\ PreconditionsAckMsg(m)
/\ newStoreSet /= {}
THEN newStoreSet
ELSE {store}
(**************************************
ICS3 spec related to Confirm messages.
**************************************)
(* State predicate, guarding the handler for the Confirm msg.
*)
PreconditionsConfirmMsg(m) ==
/\ store.connection.state = "TRYOPEN"
/\ ValidConnectionParameters(m.parameters)
/\ m.proofHeight \in store.client.consensusHeights (* Consistency height check. *)
/\ VerifyConnProof(m.connProof, "OPEN", m.parameters)
/\ IF VersionPickMode /= "overwrite"
\* check if the locally stored versions overlap with the versions sent in
\* the ICS3MsgConfirm message if VersionPickMode /= "overwrite"
THEN IF \/ VersionPickMode = "onAckNonDet"
\/ VersionPickMode = "onAckDet"
\* if the version was picked on handling ICS3MsgAck, check for intersection
THEN VersionSequencesOverlap(store.connection.version, m.version)
\* if the version was picked on handling ICS3MsgTry, check for equality
ELSE store.connection.version = m.version
\* if VersionPickMode = "overwrite", do not check for version overlap
ELSE TRUE
(* Pick a version depending on the value of the constant VersionPickMode
- if VersionPickMode = "overwrite"
-> take the picked version from the message
- if VersionPickMode = "onAckNonDet"
-> pick a version from store.connection.version non-deterministically
- if VersionPickMode = "onAckDet"
-> pick a version from store.connection.version deterministically
(e.g., maximum)
- otherwise
-> use store.connection.version if
* version picking was done when handling ICS3MsgAck and
(m.version \intersect store.connection.version) is not empty
* version picking was done when handling ICS3MsgTry and
m.version = store.connection.version
(both conditions checked in PreconditionsAckMsg)
*)
PickVersionOnConfirm(m) ==
IF VersionPickMode = "overwrite"
\* take the picked version from the message
THEN {m.version}
ELSE IF VersionPickMode = "onAckNonDet"
\* the version is picked non-deterministically
THEN {<<newVersion>> : newVersion \in SequenceAsSet(store.connection.version)}
ELSE IF VersionPickMode = "onAckDet"
\* the version is picked deterministically,
\* using MAXSet as a deterministic choice function
THEN {<<MAXSet(SequenceAsSet(store.connection.version))>>}
\* the version was picked when handling ICS3MsgTry,
\* use the picked version from the ICS3MsgAck message
ELSE {store.connection.version}
(* Handles a "ICS3MsgConfirm" message.
*)
HandleConfirmMsg(m) ==
LET newConnSet == [parameters : {m.parameters},
state : {"OPEN"},
version : PickVersionOnConfirm(m)]
newStoreSet == {NewStore(newConn) : newConn \in newConnSet} IN
IF /\ PreconditionsConfirmMsg(m)
/\ newStoreSet /= {}
THEN newStoreSet
ELSE {store}
(* Action for advancing the current height (latestHeight) of the chain.
The environment triggers this as part of the GoodNextEnv action.
*)
AdvanceChainHeight ==
store' = [store EXCEPT !.latestHeight = @ + 1]
(* State predicate returning true if MaxChainHeight not yet attained.
*)
CanAdvance ==
store.latestHeight < MaxChainHeight
(* Action for updating the local client on this chain with a new height.
This primes the store; leaves the chain buffers unchanged.
This will also advance the chain height.
*)
UpdateClient(height) ==
/\ store' = [store EXCEPT !.latestHeight = @ + 1,
!.client.consensusHeights = @ \cup {height},
!.client.latestHeight = MAX(height, store.client.latestHeight)]
(* State predicate guarding the UpdateClient action.
This requires client updates to be monotonic (prevents updates with older
heights).
*)
CanUpdateClient(newHeight) ==
/\ CanAdvance
/\ newHeight > store.client.latestHeight
(* Generic action for handling any type of inbound message.
Expects as parameter a message.
Takes care of priming the 'store' and adding any reply msg in 'outBuf'.
This action assumes the message type is valid, therefore one of the
disjunctions (in the CASE statements) will always enable.
*)
ProcessMsg ==
/\ inBuf /= <<>>
/\ CanAdvance
/\ LET m == Head(inBuf)
resStores == CASE m.type = "ICS3MsgInit" -> HandleInitMsg(m)
[] m.type = "ICS3MsgTry" -> HandleTryMsg(m)
[] m.type = "ICS3MsgAck" -> HandleAckMsg(m)
[] m.type = "ICS3MsgConfirm" -> HandleConfirmMsg(m) IN
/\ store' \in resStores
/\ outBuf' = CASE m.type = "ICS3MsgInit" (* Get reply to the Init msg. *)
/\ store'.connection.state = "INIT" -> Append(outBuf, MsgInitReply(store'))
[] m.type = "ICS3MsgTry" (* Get reply to the Try msg. *)
/\ store'.connection.state = "TRYOPEN" -> Append(outBuf, MsgTryReply(store'))
[] m.type = "ICS3MsgAck" (* Get reply to the Ack msg. *)
/\ store'.connection.state = "OPEN" -> Append(outBuf, MsgAckReply(store'))
[] TRUE -> outBuf (* Default case: no reply necessary. *)
/\ inBuf' = Tail(inBuf)
(***************************************************************************
Connection Handshake Module (ICS3) main spec.
***************************************************************************)
Init ==
store \in [chainID : {ChainID},
latestHeight : {1},
connection : NullConnections,
client : InitClients(ClientIDs)]
Next ==
\/ ProcessMsg
\/ UNCHANGED moduleVars
Fairness ==
WF_moduleVars(ProcessMsg)
TypeInvariant ==
/\ inBuf \in Seq(ConnectionHandshakeMessages) \union {<<>>}
/\ outBuf \in Seq(ConnectionHandshakeMessages) \union {<<>>}
/\ store \in Stores
=============================================================================
\* Modification History
\* Last modified Thu Aug 27 16:00:21 CEST 2020 by adi
\* Last modified Wed Aug 26 17:05:35 CEST 2020 by ilinastoilkovska
\* Created Fri Apr 24 19:08:19 CEST 2020 by adi