Check refinement of high-level spec abs with all models #6509
Conversation
lemmy
force-pushed
the
mku-refine
branch
2 times, most recently
from
d5e8fbe
to
6963930
Compare
with MaxUncommittedCount (see max_uncommitted_tx_count in raft.h) that restricts the length by which a log may be extended in each step. Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
(Maintains the checked state space) Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Clearly, refinement mapping belongs in ccfraft, but we couldn't do that up until recently because of a TLC limitation that was resolved by tlaplus/tlaplus#441. Depends on TLA+ PR tlaplus/tlaplus#1014 Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Add node may copy the longest log from some other node and extend the copied log in one step. Background: microsoft#6493 (comment) Co-authored-by: Amaury Chamayou <amchamay@microsoft.com> Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
…ion, simulation). Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
…fixes by expressing abs!Extend and abs!CopyMaxAndExtend axiomatically. Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
MUC does not apply to some log entries, i.e, signatures, ... Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
|
Unless I am missing something, this change is adding very substantially to the runtime of long model checks: Before: https://github.com/microsoft/CCF/actions/runs/11107110210/job/30856948052 After: https://github.com/microsoft/CCF/actions/runs/11127867170/job/30921202022?pr=6509 These are already by far our longest running jobs, my fervent hope is that we find ways to speed them up so we can relax the state space restrictions, and this seems to be taking us in the wrong direction. |
This doesn't seem directly related to this pull request. There's nothing preventing us from relaxing the state-space restrictions and skipping the refinement checks in those models. |
Agreed, but there remains an open question about the value of the abstract model, and of the refinement. We are already severely constrained in the space we can check, adding the refinement makes that substantially worse. I am not sure what the utility of having it and not checking would be. |
|
This was merged despite the failure of two long-running jobs. The last successful checks were completed with commit bbd4a4f. The causes seems to be that |
ccfraft, but we couldn't do that up until recently because of a TLC limitation that was resolved by Better parameterized instantiation support tlaplus/tlaplus#441 (depended on TLA+ PR Refinement checking for INSTANCEs with arguments. tlaplus/tlaplus#1014)CopyMaxAndExtendaction. Add node may copy the longest log from some other node and extend the copied log in one step. Background: Check refinement of high-level spec abs for configs with reconfiguration. #6493 (comment)abs!Extendandabs!CopyMaxAndExtendaxiomatically.Replaces #6493
and depends on #6508.