working draft

Author: joshuazh-x

bootstrap.go

@@ -76,5 +76,7 @@ func (rn *RawNode) Bootstrap(peers []Peer) error {
 	for _, peer := range peers {
 		rn.raft.applyConfChange(pb.ConfChange{NodeID: peer.ID, Type: pb.ConfChangeAddNode}.AsV2())
 	}
+
+	traceBootstrap(rn.raft)
 	return nil
 }

raft.go

@@ -1963,6 +1963,8 @@ func (r *raft) applyConfChange(cc pb.ConfChangeV2) pb.ConfState {
 		panic(err)
 	}
 
+	traceConfChangeEvent(cfg, r)
+
 	return r.switchToConfig(cfg, trk)
 }
 
@@ -1973,8 +1975,6 @@ func (r *raft) applyConfChange(cc pb.ConfChangeV2) pb.ConfState {
 //
 // The inputs usually result from restoring a ConfState or applying a ConfChange.
 func (r *raft) switchToConfig(cfg tracker.Config, trk tracker.ProgressMap) pb.ConfState {
-	traceConfChangeEvent(cfg, r)
-
 	r.trk.Config = cfg
 	r.trk.Progress = trk
 

rawnode.go

@@ -491,6 +491,8 @@ func (rn *RawNode) Advance(_ Ready) {
 		rn.stepsOnAdvance[i] = pb.Message{}
 	}
 	rn.stepsOnAdvance = rn.stepsOnAdvance[:0]
+
+	traceAdvance(rn.raft)
 }
 
 // Status returns the current status of the given group. This allocates, see

state_trace.go

@@ -30,6 +30,7 @@ type stateMachineEventType int
 
 const (
 	rsmInitState stateMachineEventType = iota
+	rsmBootstrap
 	rsmBecomeCandidate
 	rsmBecomeFollower
 	rsmBecomeLeader
@@ -38,6 +39,7 @@ const (
 	rsmChangeConf
 	rsmApplyConfChange
 	rsmReady
+	rsmAdvance
 	rsmSendAppendEntriesRequest
 	rsmReceiveAppendEntriesRequest
 	rsmSendAppendEntriesResponse
@@ -53,6 +55,7 @@ const (
 func (e stateMachineEventType) String() string {
 	return []string{
 		"InitState",
+		"Bootstrap",
 		"BecomeCandidate",
 		"BecomeFollower",
 		"BecomeLeader",
@@ -61,6 +64,7 @@ func (e stateMachineEventType) String() string {
 		"ChangeConf",
 		"ApplyConfChange",
 		"Ready",
+		"Advance",
 		"SendAppendEntriesRequest",
 		"ReceiveAppendEntriesRequest",
 		"SendAppendEntriesResponse",
@@ -86,6 +90,7 @@ type TracingEvent struct {
 	State      TracingState       `json:"state"`
 	Role       string             `json:"role"`
 	LogSize    uint64             `json:"log"`
+	Applied    uint64             `json:"applied"`
 	Conf       [2][]string        `json:"conf"`
 	Message    *TracingMessage    `json:"msg,omitempty"`
 	ConfChange *TracingConfChange `json:"cc,omitempty"`
@@ -173,6 +178,7 @@ func traceEvent(evt stateMachineEventType, r *raft, m *raftpb.Message, prop map[
 		NodeID:     strconv.FormatUint(r.id, 10),
 		State:      makeTracingState(r),
 		LogSize:    r.raftLog.lastIndex(),
+		Applied:    r.raftLog.applied,
 		Conf:       [2][]string{formatConf(r.trk.Voters[0].Slice()), formatConf(r.trk.Voters[1].Slice())},
 		Role:       r.state.String(),
 		Message:    makeTracingMessage(m),
@@ -206,10 +212,18 @@ func traceInitState(r *raft) {
 	traceNodeEvent(rsmInitState, r)
 }
 
+func traceBootstrap(r *raft) {
+	traceNodeEvent(rsmBootstrap, r)
+}
+
 func traceReady(r *raft) {
 	traceNodeEvent(rsmReady, r)
 }
 
+func traceAdvance(r *raft) {
+	traceNodeEvent(rsmAdvance, r)
+}
+
 func traceCommit(r *raft) {
 	traceNodeEvent(rsmCommit, r)
 }

state_trace_nop.go

@@ -29,8 +29,12 @@ type TracingEvent struct{}
 
 func traceInitState(*raft) {}
 
+func traceBootstrap(*raft) {}
+
 func traceReady(*raft) {}
 
+func traceAdvance(*raft) {}
+
 func traceCommit(*raft) {}
 
 func traceReplicate(*raft, ...raftpb.Entry) {}

tla/MCetcdraft.cfg

@@ -34,7 +34,9 @@ CONSTANTS
     AddNewServer    <- MCAddNewServer
     DeleteServer    <- MCDeleteServer
     AddLearner      <- MCAddLearner
+    Ready           <- MCReady
 
+      
     InitServerVars  <- etcdInitServerVars
     InitLogVars     <- etcdInitLogVars
     InitConfigVars  <- etcdInitConfigVars
@@ -65,5 +67,4 @@ INVARIANTS
     LogMatchingInv
     QuorumLogInv
     MoreUpToDateCorrectInv
-    LeaderCompletenessInv
-    CommittedIsDurableInv
+    LeaderCompletenessInv

tla/MCetcdraft.tla

@@ -42,22 +42,30 @@ etcdInitServerVars  == /\ currentTerm = [i \in Server |-> IF i \in InitServer TH
                        /\ votedFor    = [i \in Server |-> Nil]
 etcdInitLogVars     == /\ log          = [i \in Server |-> IF i \in InitServer THEN BootstrapLog ELSE <<>>]
                        /\ commitIndex  = [i \in Server |-> IF i \in InitServer THEN Cardinality(InitServer) ELSE 0]
+                       /\ applied      = [i \in Server |-> 0]
 etcdInitConfigVars  == /\ config = [i \in Server |-> [ jointConfig |-> IF i \in InitServer THEN <<InitServer, {}>> ELSE <<{}, {}>>, learners |-> {}]]
-                       /\ reconfigCount = 0 \* the bootstrap configuraitons are not counted
+                       /\ appliedConfChange = [i \in Server |-> Len(BootstrapLog)]
 
 \* This file controls the constants as seen below.
 \* In addition to basic settings of how many nodes are to be model checked,
 \* the model allows to place additional limitations on the state space of the program.
 
+\* Check the # of reconfigurations and return true if it is lower than ReconfigurationLimit
+UnderReconfigLimit ==
+    LET leaders == {i \in Server : state[i] = Leader}
+    IN  
+        \E i \in leaders : 
+            /\ \A j \in leaders \ {i} : Len(log[i]) >= Len(log[j])
+            /\ ReconfigurationLimit > FoldSeq(LAMBDA x, y: IF x.type = ConfigEntry THEN 1 ELSE 0, -Cardinality(InitServer), log[i])
 \* Limit the # of reconfigurations to ReconfigurationLimit
 MCAddNewServer(i, j) ==
-    /\ reconfigCount < ReconfigurationLimit
+    /\ UnderReconfigLimit
     /\ etcd!AddNewServer(i, j)
 MCDeleteServer(i, j) ==
-    /\ reconfigCount < ReconfigurationLimit
+    /\ UnderReconfigLimit
     /\ etcd!DeleteServer(i, j)
 MCAddLearner(i, j) ==
-    /\ reconfigCount < ReconfigurationLimit
+    /\ UnderReconfigLimit
     /\ etcd!AddLearner(i, j)
 
 \* Limit the terms that can be reached. Needs to be set to at least 3 to
@@ -104,6 +112,15 @@ MCSend(msg) ==
         /\ msg.mtype = AppendEntriesRequest
     /\ etcd!Send(msg)
 
+\* If there is no new message and no state change, we can skip Advance to reduce state spece
+\* to be explored
+MCReady(i) ==
+    LET rd == ReadyData(args[1])
+    IN 
+        /\ \/ rd.msgs /= EmptyBag
+           \/ DurableStateFromReady(rd) /= durableState[i]
+        /\ Ready(i)
+
 mc_etcdSpec ==   
     /\ Init
     /\ [][NextDynamic]_vars

tla/README.md

@@ -72,6 +72,11 @@ The TLA+ spec defines the desired behaviors of the model. To validate the correc
 ./validate-model.sh -s ./MCetcdraft.tla -c ./MCetcdraft.cfg 
 ```
 
+You can also add `-m` option to run model checking in simulation mode, which will randomly walk in the state machine and is helpful for finding issues quickly.
+
+```console
+./validate-model.sh -m -s ./MCetcdraft.tla -c ./MCetcdraft.cfg 
+```
 
 ## Validate Collected Traces
 With above example trace logger, validate.sh can be used to validate traces parallelly.

tla/Traceetcdraft.cfg

@@ -71,5 +71,4 @@ INVARIANTS
     LogMatchingInv
     QuorumLogInv
     MoreUpToDateCorrectInv
-    LeaderCompletenessInv
-    CommittedIsDurableInv
+    LeaderCompletenessInv

tla/Traceetcdraft.tla

@@ -54,40 +54,35 @@ TraceServer == TLCEval(FoldSeq(
                             THEN {x.event.nid, x.event.prop.cc.changes[1].nid} 
                             ELSE {x.event.nid},
     {}, TraceLog))
-        
-BootstrapLogIndicesForServer(i) ==
-    LET 
-        FirstBootstrapLogIndex == SelectInSeq(TraceLog, LAMBDA x: x.event.nid = i /\ x.event.name \in {"InitState", "BecomeFollower", "ApplyConfChange"})
-        FirstNonBootstrapLogIndex == SelectInSeq(TraceLog, LAMBDA x: x.event.nid = i /\ x.event.name \notin {"InitState", "BecomeFollower", "ApplyConfChange"})
-        LastBootstrapLogIndexUpperBound == IF FirstNonBootstrapLogIndex = 0 THEN Len(TraceLog) ELSE FirstNonBootstrapLogIndex-1
-    IN 
-        { k \in FirstBootstrapLogIndex..LastBootstrapLogIndexUpperBound: TraceLog[k].event.nid = i }
-            
-BootstrapLogIndices == UNION { BootstrapLogIndicesForServer(i): i \in Server }
-
-LastBootstrapLog == [ i \in Server |-> TraceLog[Max(BootstrapLogIndicesForServer(i))] ]
-
-BootstrappedConfig(i) == 
-    IF LastBootstrapLog[i].event.name = "ApplyConfChange" THEN 
-        ToSet(LastBootstrapLog[i].event.prop.cc.newconf)
-    ELSE 
-        ToSet(LastBootstrapLog[i].event.conf[1])
-
-TraceInitServer == BootstrappedConfig(TraceLog[1].event.nid)
+
+BootstrapIndex == [ i \in Server |-> SelectInSeq(TraceLog, LAMBDA  x: x.event.nid = i /\ x.event.name = "Bootstrap") ]
+
+TraceInitServer == { i \in Server : BootstrapIndex[i] > 0 }
 ASSUME TraceInitServer \subseteq TraceServer   
 
-TraceInitServerVars == /\ currentTerm = [i \in Server |-> LastBootstrapLog[i].event.state.term]
-                       /\ state = [i \in Server |-> LastBootstrapLog[i].event.role]
-                       /\ votedFor = [i \in Server |-> LastBootstrapLog[i].event.state.vote]
-TraceInitLogVars    == /\ log          = [i \in Server |-> [j \in 1..LastBootstrapLog[i].event.log |-> [ term |-> 1, type |-> "ConfigEntry", value |-> [newconf |-> BootstrappedConfig(i), learners |-> {}]]]]
-                       /\ commitIndex  = [i \in Server |-> LastBootstrapLog[i].event.state.commit]
+BootstrapEntries(i) == FoldSeq(
+    LAMBDA x, y: Append(y, [ term |-> 1, 
+                             type |-> "ConfigEntry", 
+                             value |-> [ newconf |-> ToSet(TraceLog[x].event.prop.cc.newconf), learners |-> {}] ]),
+    <<>>, 
+    SetToSortSeq({j \in DOMAIN TraceLog : /\ j < BootstrapIndex[i] 
+                                          /\ TraceLog[j].event.nid = i 
+                                          /\ TraceLog[j].event.name = "ApplyConfChange"}, <) ) 
+
+TraceInitServerVars == /\ currentTerm = [i \in Server |-> IF i \in InitServer THEN 1 ELSE 0]
+                       /\ state = [i \in Server |-> Follower]
+                       /\ votedFor = [i \in Server |-> Nil]
+TraceInitLogVars    == /\ log          = [i \in Server |-> BootstrapEntries(i)]
+                       /\ commitIndex  = [i \in Server |-> Len(log[i])]
+                       /\ applied      = [i \in Server |-> 0]
 TraceInitConfigVars == 
-    /\ config = [i \in Server |-> [ jointConfig |-> <<BootstrappedConfig(i), {}>>, learners |-> {}] ]
-    /\ reconfigCount = 0 
+    /\ config = [i \in Server |-> [ jointConfig |-> <<IF i \in InitServer THEN ToSet(TraceLog[BootstrapIndex[i]].event.conf[1]) ELSE {}, {}>>, learners |-> {}] ]
+    /\ appliedConfChange = [i \in Server |-> Len(log[i])]
 
 
 -------------------------------------------------------------------------------------
-ConfFromLog(l) == << ToSet(l.event.conf[1]), ToSet(l.event.conf[2]) >>
+ConfFromTrace(l) == << ToSet(l.event.conf[1]), ToSet(l.event.conf[2]) >>
+NewConfFromTrace(l) == << ToSet(l.event.prop.cc.newconf), {} >>
 
 OneMoreMessage(msg) ==
     \/ msg \notin DOMAIN pendingMessages /\ msg \in DOMAIN pendingMessages' /\ pendingMessages'[msg] = 1
@@ -99,29 +94,44 @@ OneLessMessage(msg) ==
 
 -------------------------------------------------------------------------------------
 
+\* In some state, we will restrict the state exploration to only follow the actions in
+\* constrained behavior. This is to reduce state space to be explored.
+VARIABLE behaviorProgress
+
+Ready_PersistState_SendMessages_Behavior(i) == 
+    << "Ready", "PersistState", "SendMessage" >>
+
+StepToNextBehaviorAction(i) ==
+    IF behaviorProgress[i] = Len(Ready_PersistState_SendMessages_Behavior) THEN
+        behaviorProgress' = [behaviorProgress EXCEPT ![i] = 1]
+    ELSE
+        behaviorProgress' = [behaviorProgress EXCEPT ![i] = @ + 1]
+
+IsAllowedBehaviorAction(i, name) ==
+    Ready_PersistState_SendMessages_Behavior[behaviorProgress[i]] = name
+
 VARIABLE l
 logline == TraceLog[l]
-VARIABLE pl
-
 
 TraceInit ==
     /\ l = 1
-    /\ pl = 0
-    /\ logline = TraceLog[l]
+    /\ behaviorProgress = [i \in Server |-> 1]
     /\ Init
 
 StepToNextTrace == 
-    /\ l' = l+1
-    /\ pl' = l
-    /\ l % (Len(TraceLog) \div 100) = 0 => PrintT(<< "Progress %:", (l * 100) \div Len(TraceLog)>>)
-    /\ l' > Len(TraceLog) => PrintT(<< "Progress %:", 100>>)
+    IF behaviorProgress[logline.event.nid] > 1 THEN
+        \* Trace shall stay in current position until all actions
+        \* in the behavior are performed
+        UNCHANGED l
+    ELSE
+        /\ l' = l+1
+        /\ l % (Len(TraceLog) \div 100) = 0 => PrintT(<< "Progress %:", (l * 100) \div Len(TraceLog) >>) 
+        /\ l' > Len(TraceLog) => PrintT(<< "Progress %:", 100>>)
 
 StepToNextTraceIfMessageIsProcessed(msg) ==
     IF OneLessMessage(msg) 
         THEN StepToNextTrace
-        ELSE
-            /\ pl' = l 
-            /\ UNCHANGED <<l>>
+        ELSE UNCHANGED <<l>>
 
 -------------------------------------------------------------------------------------
 
@@ -354,9 +364,19 @@ ApplySimpleConfChangeIfLogged(i) ==
     /\ LoglineIsNodeEvent("ApplyConfChange", i)
     /\ ApplySimpleConfChange(i)
 
-ReadyIfLogged(i) ==
+ReadyBehaviorIfLogged(i) ==
     /\ LoglineIsNodeEvent("Ready", i)
-    /\ Ready(i)
+    /\ \/ /\ IsAllowedBehaviorAction(i, "Ready")
+          /\ Ready(i)
+       \/ /\ IsAllowedBehaviorAction(i, "PersistState")
+          /\ PersistState(i)
+       \/ /\ IsAllowedBehaviorAction(i, "SendMessages")
+          /\ SendMessages(i)
+    /\ StepToNextBehaviorAction
+
+AdvanceIfLogged(i) ==
+    /\ LoglineIsNodeEvent("Advance", i)
+    /\ Advance(i) 
 
 RestartIfLogged(i) ==
     /\ LoglineIsNodeEvent("InitState", i)
@@ -385,7 +405,9 @@ StepDownToFollowerIfLogged(i) ==
 
 \* skip unused logs
 SkipUnusedLogline ==
-    /\ \/ /\ LoglineIsEvent("SendAppendEntriesResponse")
+    /\ \/ /\ l < Len(TraceLog) 
+          /\ l <= BootstrapIndex[logline.event.nid] 
+       \/ /\ LoglineIsEvent("SendAppendEntriesResponse")
           /\ logline.event.msg.from # logline.event.msg.to
        \/ /\ LoglineIsEvent("SendRequestVoteResponse")
           /\ logline.event.msg.from # logline.event.msg.to
@@ -421,7 +443,9 @@ TraceNextNonReceiveActions ==
        \/ /\ LoglineIsEvent("ApplyConfChange")
           /\ \E i \in Server: ApplySimpleConfChangeIfLogged(i)
        \/ /\ LoglineIsEvent("Ready")
-          /\ \E i \in Server: ReadyIfLogged(i)
+          /\ \E i \in Server: ReadyBehaviorIfLogged(i)
+       \/ /\ LoglineIsEvent("Advance")
+          /\ \E i \in Server: AdvanceIfLogged(i)
        \/ /\ LoglineIsEvent("InitState")
           /\ \E i \in Server: RestartIfLogged(i)
        \/ /\ LoglineIsEvent("BecomeFollower")
@@ -444,7 +468,7 @@ TraceNext ==
           \/ TraceNextReceiveActions
 
 TraceSpec ==
-    TraceInit /\ [][TraceNext]_<<l, pl, vars>>
+    TraceInit /\ [][TraceNext]_<<l, behaviorProgress, vars>>
 
 -------------------------------------------------------------------------------------
 
@@ -454,7 +478,7 @@ TraceView ==
      \* appears the second time in the trace.  Put differently,  TraceView  causes TLC to
      \* consider  s_i  and s_j  , where  i  and  j  are the positions of  s  in the trace,
      \* to be different states.
-    <<vars, l>>
+    <<vars, l, behaviorProgress>>
 
 -------------------------------------------------------------------------------------