Formal model for SBFT - initial version (#2350)

* Initial version of SBFT formal model.

In this version of the model we have the Slow
Commit path, for which we have proven that honest
replicas agree in their Commit messages to the
assignment of Client Operations to Sequence ID-s.
We have the mechanism of the View Change process
in the system modeled according to the definition in
BFT (excluding the Fast Commit Path) because it is
not yet modeled and we are missing the specifics
related to Checkpointing, since they are yet to be
modeled as well.

* Aligning PR with open concord-bft source policies

* Fixing the GitHub repo link

Co-authored-by: teoparvanov <tparvanov@vmware.com>

Author: HristoStaykov

.gitignore

@@ -24,3 +24,8 @@ MakefileCustom
 # Apollo test output
 */apollo/Testing/*
 Testing
+
+# Dafny profiling logs
+/.dafny
+dafny-qi.profile
+triggers

docs/sbft-formal-model/README.md

@@ -0,0 +1,77 @@
+# Project overview
+The aim of this sub-project is to both document and to formally specify the concord-bft state machine replication (SMR) protocol. 
+
+Given the distributed nature of the concord-bft protocol, unit tests offer limited means of establishing the desired state machine replication (SMR) safety properties. The main tool we use for proving correctness is an integration testing framework code-named [Apollo](https://github.com/vmware/concord-bft/tree/master/tests/apollo) which creates mini-blockchain deployments and exercises various runtime scenarios (including straight case, replica failures, network faults, as well as certain byzantine cases).
+
+Apollo does give us good confidence as to the correctness and fault tolerance of the concord-bft SMR. But even if we bring test coverage to 100%, we can never be sure that we have discovered all possible bugs and failure scenarios.
+
+We use Dafny and first-order logic to model and prove the safety properties of the protocol's core state machine (liveness properties are out of scope for now).
+
+# Dev instructions
+
+The Dafny model can be used as a document, for proving SBFT correctness properties, or as input for property-based tests of the implementation's core components.
+
+## Install Docker itself if you don't have it already.
+
+  * [Mac installer](https://docs.docker.com/v17.12/docker-for-mac/install/)
+
+  * [Windows installer](https://docs.docker.com/v17.12/docker-for-windows/install/)
+
+  * On linux:
+
+```bash
+sudo apt install docker.io
+sudo service docker restart
+sudo addgroup $USER docker
+newgrp docker
+```
+
+## Pull the image.
+(This is the slow thing; it includes a couple GB of Ubuntu.)
+
+```bash
+docker pull jonhdotnet/summer_school:1.1
+```
+
+## Run the image
+
+Run the image connected to your filesystem so you can edit in your OS, and then run Dafny from inside the docker container:
+
+```bash
+mkdir work
+cd work
+docker container run -t -i --mount src="`pwd`",target=/home/dafnyserver/work,type=bind --workdir /home/dafnyserver/work jonhdotnet/summer_school:1.1 /bin/bash
+git clone https://github.com/vmware/concord-bft
+cd concord-bft/docs/sbft-formal-model
+```
+
+Now you can edit files using your preferred native OS editor under the work/
+directory, and verify them with Dafny from the terminal that's running the
+docker image.
+
+The docker-based command-line Dafny installation above is offered as a
+portable, simple way to get started.  There do exist snazzy real-time Dafny
+integrations for IDEs (Visual Studio, VSCode) and editors (Emacs, Vim).  You
+are certainly welcome to install Dafny natively and integrate it with your
+editor if you prefer.
+
+## Test that the image works
+
+From the container started as described in the previous step run:
+
+```bash
+dafny /vcsCores:$(nproc) proof.dfy
+```
+
+If everything is working, you should see something like:
+
+```bash
+Dafny program verifier finished with 10 verified, 0 errors
+```
+
+# Acknowledgements and references
+
+This project builds on top of the concepts and framework described in
+https://github.com/GLaDOS-Michigan/summer-school-2021<br>
+
+Special thanks to [@jonhnet|https://github.com/jonhnet] for his help and support along the way.

docs/sbft-formal-model/application.s.dfy

@@ -0,0 +1,68 @@
+// Concord
+//
+// Copyright (c) 2022 VMware, Inc. All Rights Reserved.
+//
+// This product is licensed to you under the Apache 2.0 license (the "License").  You may not use this product except in
+// compliance with the Apache 2.0 License.
+//
+// This product may include a number of subcomponents with separate copyright notices and license terms. Your use of
+// these subcomponents is subject to the terms and conditions of the sub-component's license, as noted in the LICENSE
+// file.
+
+include "network.s.dfy"
+
+module Application {
+  import opened Library
+  type State(!new, ==)
+  type ClientRequest(!new, ==)
+  type ClientReply(!new, ==)
+  
+  function InitialState() : State
+  function Transition(state:State, clientRequest:ClientRequest) : (result:(State, ClientReply))
+  // This is an assumption given to us by the user.
+
+  datatype Variables = Variables(
+    state:State,
+    unprocessedRequests:set<ClientRequest>,
+    undeliveredReplies:set<ClientReply>
+  )
+
+  predicate Init(v:Variables)
+  {
+    && v.s == InitialState()
+  }
+
+  predicate AcceptRequest(v:Variables, v':Variables, clientRequest:ClientRequest)
+  {
+    && v' == v.(unprocessedRequests := v.unprocessedRequests + {clientRequest})
+  }
+
+  predicate ProcessRequest(v:Variables, v':Variables, clientRequest:ClientRequest)
+  {
+    && clientRequest in v.unprocessedRequests
+    && var newState, clientReply := Transition(v.state, clientRequest);
+    && v' == v.(state := newState)
+              .(undeliveredReplies := v.undeliveredReplies + {clientReply})
+              .(unprocessedRequests := v.unprocessedRequests - {clientRequest})
+  }
+
+  predicate DeliverReply(v:Variables, v':Variables, clientReply:ClientReply)
+  {
+    && clientReply in v.undeliveredReplies
+    && v' == v.(undeliveredReplies := v.undeliveredReplies - {clientReply})
+  }
+
+  // Jay Normal Form - Dafny syntactic sugar, useful for selecting the next step
+  datatype Step =
+// Recvs:
+    | AcceptRequestStep()
+
+  predicate NextStep(c:Constants, v:Variables, v':Variables, msgOps:Network.MessageOps<Message>, step: Step) {
+    match step
+       case RecvPrePrepareStep => RecvPrePrepare(c, v, v', msgOps)
+  }
+
+  predicate Next(c:Constants, v:Variables, v':Variables, msgOps:Network.MessageOps<Message>) {
+    exists step :: NextStep(c, v, v', msgOps, step)
+  }
+}

docs/sbft-formal-model/client.i.dfy

@@ -0,0 +1,90 @@
+// Concord
+//
+// Copyright (c) 2022 VMware, Inc. All Rights Reserved.
+//
+// This product is licensed to you under the Apache 2.0 license (the "License").  You may not use this product except in
+// compliance with the Apache 2.0 License.
+//
+// This product may include a number of subcomponents with separate copyright notices and license terms. Your use of
+// these subcomponents is subject to the terms and conditions of the sub-component's license, as noted in the LICENSE
+// file.
+
+include "network.s.dfy"
+include "cluster_config.s.dfy"
+include "messages.dfy"
+
+module Client {
+  import opened Library
+  import opened HostIdentifiers
+  import opened Messages
+  import Network
+  import ClusterConfig
+
+  // Define your Client protocol state machine here.
+  datatype Constants = Constants(myId:HostId, clusterConfig:ClusterConfig.Constants) {
+    // host constants coupled to DistributedSystem Constants:
+    // DistributedSystem tells us our id so we can recognize inbound messages.
+    predicate WF() {
+      && clusterConfig.WF()
+      && clusterConfig.N() <= myId < NumHosts()
+    }
+
+    predicate Configure(id:HostId, clusterConf:ClusterConfig.Constants) {
+      && myId == id
+      && clusterConfig == clusterConf
+    }
+  }
+
+  // Placeholder for possible client state
+  datatype Variables = Variables(
+    lastRequestTimestamp:nat,
+    lastReplyTimestamp:nat
+  ) {
+    
+    predicate WF(c:Constants)
+    {
+      && c.WF()
+      && lastRequestTimestamp >= lastReplyTimestamp
+    }
+  }
+
+  function PendingRequests(c:Constants, v:Variables) : nat
+    requires v.WF(c)
+  {
+    v.lastRequestTimestamp - v.lastReplyTimestamp
+  }
+
+  // Predicate that describes what is needed and how we mutate the state v into v' when SendPrePrepare
+  // Action is taken. We use the "binding" variable msgOps through which we send/recv messages.
+  predicate SendClientOperation(c:Constants, v:Variables, v':Variables, msgOps:Network.MessageOps<Message>)
+  {
+    && v.WF(c)
+    && msgOps.IsSend()
+    && PendingRequests(c,v) == 0
+    && var msg := msgOps.send.value;
+    && msg.payload.ClientRequest?
+    && msg.sender == c.myId
+    && msg.payload.clientOp.sender == c.myId
+    && msg.payload.clientOp.timestamp == v.lastRequestTimestamp + 1
+    && v' == v.(lastRequestTimestamp := v.lastRequestTimestamp + 1)
+  }
+  
+  predicate Init(c:Constants, v:Variables) {
+    && v.WF(c)
+    && v.lastRequestTimestamp == 0
+    && v.lastReplyTimestamp == 0
+  }
+
+  // Jay Normal Form - syntactic sugar, useful for selecting the next step
+  datatype Step =
+    | SendClientOperationStep()
+
+  predicate NextStep(c:Constants, v:Variables, v':Variables, msgOps:Network.MessageOps<Message>, step: Step) {
+    match step
+       case SendClientOperationStep() => SendClientOperation(c, v, v', msgOps)
+  }
+
+  predicate Next(c:Constants, v:Variables, v':Variables, msgOps:Network.MessageOps<Message>) {
+    exists step :: NextStep(c, v, v', msgOps, step)
+  }
+}

docs/sbft-formal-model/cluster_config.s.dfy

@@ -0,0 +1,72 @@
+// Concord
+//
+// Copyright (c) 2022 VMware, Inc. All Rights Reserved.
+//
+// This product is licensed to you under the Apache 2.0 license (the "License").  You may not use this product except in
+// compliance with the Apache 2.0 License.
+//
+// This product may include a number of subcomponents with separate copyright notices and license terms. Your use of
+// these subcomponents is subject to the terms and conditions of the sub-component's license, as noted in the LICENSE
+// file.
+
+include "network.s.dfy"
+
+module ClusterConfig {
+  import opened HostIdentifiers
+
+  datatype Constants = Constants(
+    maxByzantineFaultyReplicas:nat,
+    numClients:nat
+  ) {
+
+    predicate WF()
+    {
+      && maxByzantineFaultyReplicas > 0 // Require non-trivial BFT system
+      && numClients > 0
+    }
+
+    function ClusterSize() : nat
+      requires WF()
+    {
+      N() + numClients
+    }
+
+    function F() : nat
+      requires WF()
+    {
+      maxByzantineFaultyReplicas
+    }
+
+    function ByzantineSafeQuorum() : nat
+      requires WF()
+    {
+      F() + 1
+    }
+
+    function N() : nat  // BFT Replica Size
+      requires WF()
+    {
+      3 * F() + 1
+    }
+
+    function AgreementQuorum() : nat
+      requires WF()
+    {
+      2 * F() + 1
+    }
+
+    predicate IsReplica(id:HostId)
+      requires WF()
+    {
+      && ValidHostId(id)
+      && 0 <= id < N()
+    }
+
+    predicate IsClient(id:HostId)
+      requires WF()
+    {
+      && ValidHostId(id)
+      && N() <= id < NumHosts()
+    }
+  }
+}