Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prove safety property on scaling-down for Rabbitmq controller #220

Merged
merged 11 commits into from
Aug 28, 2023
Merged

Prove safety property on scaling-down for Rabbitmq controller #220

merged 11 commits into from
Aug 28, 2023

Conversation

euclidgame
Copy link
Contributor

@euclidgame euclidgame commented Aug 22, 2023
edited
Loading

Prove the property that stateful set never scales down in rabbitmq controller. Details can be found in #223 . To supplement is, the concrete invariants in the code are as follows:

  • Invariant 1: stateful_set_not_scaled_down
  • Invariant 2: object_in_sts_update_request_has_smaller_rv_than_etcd
  • Invariant 3: replicas_of_stateful_set_update_request_msg_is_no_smaller_than_etcd
  • Invariant 4: replicas_of_etcd_stateful_set_satisfies_order
  • Invariant 5: object_in_ok_get_response_has_smaller_rv_than_etcd
  • Invariant 6: response_at_after_get_stateful_set_step_is_sts_get_response
  • Invariant 7: object_in_ok_get_resp_is_same_as_etcd_with_same_rv
  • Invariant 7: replicas_of_stateful_set_create_or_update_request_msg_satisfies_order
  • Invariant 8: etcd_and_scheduled_and_triggering_cr_in_correct_order
  • Invariant 9: object_in_every_create_or_update_request_msg_only_has_valid_owner_references
  • Invariant 10: every_owner_ref_of_every_object_in_etcd_has_different_uid_from_uid_counter

Each corresponds to a spec function.

@marshtompsxd marshtompsxd mentioned this pull request Aug 22, 2023
Merged
@euclidgame euclidgame marked this pull request as draft August 24, 2023 06:16
@euclidgame euclidgame marked this pull request as ready for review August 25, 2023 18:06
@euclidgame euclidgame mentioned this pull request Aug 25, 2023
Closed
marshtompsxd
marshtompsxd reviewed Aug 27, 2023
View reviewed changes
src/controller_examples/rabbitmq_controller/proof/helper_invariants/invariants.rs
@@ -1112,4 +1096,124 @@ pub proof fn lemma_true_leads_to_always_no_delete_sts_req_is_in_flight(spec: Tem
);
}

/// This spec tells that when the reconciler is at AfterGetStatefulSet, and there is a matched response, the reponse must be
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably have a lemma saying that for any get request, the matched get response has the same object key in its content, which applies to all controllers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The thing is we still need a lemma to say that at get stateful set step the pending request is xxx. So I decided to wrap the two. But it does no harm to write the lemma you mentioned.

@vmwclabot
Copy link

@euclidgame, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding Signed-off-by: John Doe <[email protected]> to the last line of each Git commit message. The e-mail address used to sign must match the e-mail address of the Git author. Click here to view the Developer Certificate of Origin agreement.

@euclidgame
Refine some past designs
0ffcce6 
Add from_dynamic_object_result_determined_by_unmarshal. Use spec as 
parameters for some lemmas.

---------

Signed-off-by: Wenjie Ma <[email protected]>
@euclidgame
Prove the top-level safety property
bd65d85 
Prove some of the helper invariants. Then assume the left hold, prove 
top level safety property.

---------

Signed-off-by: Wenjie Ma <[email protected]>
@euclidgame
Prove some helper invariants
45ef265 
Signed-off-by: Wenjie Ma <[email protected]>
@euclidgame
Rebase main and fix some subsequent issues
f8d89c9 
Add generics to the Message Type.

---------

Signed-off-by: Wenjie Ma <[email protected]>
@euclidgame
Refine and refactor the proof and file structure
c94a472 
Compact some similar lemmas. Try to delete some useless functions. Move
some lemmas to common module (i.e, kubernetes_cluster::proof, not specific 
to one controller). Refactor the file structure to make it more reasonable.
Reword some comments and naming. Try to make the verification more stable.
Rename lower_rv => smaller_rv.

---------

Signed-off-by: Wenjie Ma <[email protected]>
@euclidgame
Add a lemma about message, rename the transition_rule specs
fe5bfa3 
Signed-off-by: Wenjie Ma <[email protected]>
@marshtompsxd marshtompsxd changed the title Add safety property for rabbitmq Specify and prove safety property on scaling-down for Rabbitmq controller Aug 27, 2023
@marshtompsxd marshtompsxd changed the title Specify and prove safety property on scaling-down for Rabbitmq controller Prove safety property on scaling-down for Rabbitmq controller Aug 27, 2023
marshtompsxd
marshtompsxd reviewed Aug 27, 2023
View reviewed changes
src/kubernetes_cluster/proof/message.rs Outdated
);
}

pub open spec fn ok_get_response_msg() -> FnSpec(MsgType<E>) -> bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe is_ok_get_response_msg?

marshtompsxd
marshtompsxd reviewed Aug 27, 2023
View reviewed changes
src/kubernetes_cluster/proof/message.rs Outdated
&& msg.content.get_get_response().res.is_Ok()
}

pub open spec fn ok_get_response_msg_with_key(key: ObjectRef) -> FnSpec(MsgType<E>) -> bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe is_ok_get_response_msg_and_matches_key

marshtompsxd
marshtompsxd reviewed Aug 27, 2023
View reviewed changes
src/kubernetes_cluster/proof/message.rs
msg.src.is_KubernetesAPI()
&& msg.content.is_get_response()
&& msg.content.get_get_response().res.is_Ok()
&& msg.content.get_get_response().res.get_Ok_0().object_ref() == key
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can later rename object_ref() to key() or sth, to avoid confusion with another reference (owner reference)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually what is the source of object_ref?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a datatype defined in kube-rs library, but we don't have to follow the name.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will cause confusion. Owner reference means reference of the owner, and I never omit "owner" when referring to it.

marshtompsxd
marshtompsxd reviewed Aug 27, 2023
View reviewed changes
src/controller_examples/rabbitmq_controller/proof/safety/safety.rs Outdated
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@euclidgame I see you were documenting the invariants in #223 . Do you want to copy some documents here?

@marshtompsxd marshtompsxd merged commit feacf12 into main Aug 28, 2023
1 check passed
@marshtompsxd marshtompsxd deleted the rabbitmq_safety branch September 4, 2023 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marshtompsxd marshtompsxd Awaiting requested review from marshtompsxd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@euclidgame @vmwclabot @marshtompsxd