Basic packet flow in TLA+

[istoilkovska]

Closes: #124

Description

Added support for handling the basic packet flow in the Relayer TLA+ specification. Currently, the spec handles sending, receiving, and acknowledgements of packets.

The following basic packet flow is assumed:

1. ChainA sends a packet by writing a sent packet log entry to the packet log and writing a packet commitment
2. A relayer reads the packet log, picks the sent packet log entry, and creates PacketRecv datagram for ChainB
3. ChainB processes the PacketRecv datagram, and adds the received packet to its set of packets that should be acknowledged (asynchronous acknowledgements)
4. ChainB writes the acknowledgement by writing a log entry to the packet log
5. A relayer reads the packet log, picks the write ack log entry, and creates PacketAck datagram for ChainA
6. ChainA processes the PacketAck datagram by deleting the packet commitment of the original sent packet

The packets and packet logs are sequences, rather than sets. This is to ensure that there is order in sending, receiving, and acknowledgements of packets.

---

For contributor use:

• Unit tests written
• Added test to CI if applicable
• Updated CHANGELOG_PENDING.md
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Updated relevant documentation (docs/) and code comments
• Re-reviewed Files changed in the Github PR explorer

[ancazamfir]

Very nice spec! I have a few comments after the first pass. Struggling with TLC, one relayer and minimal config, it still runs after almost 1hr.

[ancazamfir]

I think we should have a sequence of datagrams for everything. We can get handshake datagrams interleaved with packet datagrams and the order matters. And then in the function we should process them in order.

[istoilkovska]

Yes, I had the idea to transition to sequences of datagams completely. But doing so increases the state space that TLC enumerates. Will try to think about better handling, while still processing datagrams in order.

[milosevic]

Agree with Anca that orders matter. We can have either sequence or handle only single datagram at the time.

[codecov-commenter]

Codecov Report

Merging #248 into master will increase coverage by 20.4%.
The diff coverage is 55.2%.

@@            Coverage Diff            @@
##           master    #248      +/-   ##
=========================================
+ Coverage    13.6%   34.1%   +20.4%     
=========================================
  Files          69     106      +37     
  Lines        3752    7112    +3360     
  Branches     1374    2579    +1205     
=========================================
+ Hits          513    2430    +1917     
- Misses       2618    4318    +1700     
+ Partials      621     364     -257     

Impacted Files	Coverage Δ
modules/src/events.rs	0.0% <ø> (ø)
modules/src/ics02_client/events.rs	0.0% <ø> (ø)
modules/src/ics02_client/raw.rs	0.0% <0.0%> (ø)
modules/src/ics03_connection/error.rs	16.6% <0.0%> (-16.7%)	⬇️
...ules/src/ics03_connection/handler/conn_open_ack.rs	87.5% <ø> (ø)
.../src/ics03_connection/handler/conn_open_confirm.rs	87.5% <ø> (ø)
modules/src/ics04_channel/error.rs	75.0% <ø> (+50.0%)	⬆️
modules/src/ics04_channel/packet.rs	0.0% <0.0%> (ø)
modules/src/ics07_tendermint/client_def.rs	0.0% <0.0%> (ø)
modules/src/ics07_tendermint/consensus_state.rs	18.5% <0.0%> (-14.9%)	⬇️
... and 165 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4877ee9...fc2dd62. Read the comment docs.

[milosevic]

What is the purpose of history variable?

[istoilkovska]

We use the history variable in the invariant we check with Apalache. The history variable is a record that stores flags about the state of the connection and channel ends. The flags are set once, when the state changes. The invariant checks that if a flag is set, the state of the connection or channel end does not go back to a previous state.

Example: a connection is open, and the flag history.connOpen is set to TRUE. The following invariant has to hold:

history.connOpen => /\ chainA.connectionEnd.state /= "UNINIT"
                    /\ chainA.connectionEnd.state /= "INIT"
                    /\ chainA.connectionEnd.state /= "TRYOPEN"

[milosevic]

Why the structure is not the same as with others, i.e., it contains HandlePacketRecv and HandlePacketAck that internally check for the datagram type?

[istoilkovska]

It is because the PacketUpdate operator computes the update to the chain store with a single packet datagram, taken from the sequence of packet datagrams, while the other *Update operators update the chain store with a set of datagrams, which is obtained by taking a subset of the incoming datagrams, containing datagrams of particular type.

[milosevic]

I am not sure if we need to model event log as it is not necessarily, i.e., current ICS18 is not using it. It might be useful as part of MBT, but in the initial version I would prefer having the minimal set of functionalities needed.

[istoilkovska]

We can have it merged like this for now, I will experiment to see if by removing it we can obtain some model checking results.

[milosevic]

This is a model constraint, not the handler one; ideally they should not be mixed and model constraint can be a precondition at the higher level.

[istoilkovska]

I've refactored this action a bit.

[milosevic]

Should we add timeout handling here? Then it seems complete.

[milosevic]

Also, what about channel closing? Is it also triggered "externally"?

[ancazamfir]

channel closing is triggered by the application so yes the trigger is "external"

[istoilkovska]

We currently have a flag for each chain that triggers channel closing, which is non-deterministically set by the environment. When we add timeouts we would have channel closing that is triggered by a timeout.

[milosevic]

I am wondering if we are missing important aspect here as we don't use chain and connection id from packetDatagram to fetch local connection and channel end.

[istoilkovska]

We can check in lines 32-33

/\ packetDatagram.srcChannelID = channelEnd.channelID
/\ packetDatagram.dstChannelID = channelEnd.counterpartyChannelID

where channelEnd is defined like in line 17. This should filter out packet datagrams that do not have the correct channelIDs.

[milosevic]

LGTM. There are few comments that could be addressed and few more general concerns that we can address later.

[ancazamfir]

Looks good! Thanks Ilina!