mirror of
https://github.com/tendermint/tendermint.git
synced 2026-01-06 13:26:23 +00:00
1f0cf7762b
* Initial commit * Add three timeouts and align pseudocode better with existing algorithm * Align protocol with Tendermint code and add find valid value mechanism * Prepare to Nuke Develop (#47) * state -> step * vote -> v * New version of the algorithm and the proof * New version of the algorithm and the proofs * Added algorithm description * Add algorithm description * Add introduction * Add conclusion * Add conclusion file * fix warnings (caption was defined twice) - only the latter is used anyways (centers captions) - this makes it possible to autom. building the paper * Update grammar * s/state_p/step_p * Address Ismail's comments * intro: language fixes * definitions: language fixes * consensus: various fixes * proof: some fixes * try to improve reviewability * \eq -> = * textwrap to 79 * various minor fixes * proof: fix itemization * proof: more minor fixes * proof: timeouts are functions * proof: fixes to lemma6 * Intro changes and improve title page * Add Marko and Ming to acks * add readme * Format algorithm correctly Clarify condition semantic and timeouts Improve descriptions * patform -> platform * Ensure that rules are mutually exclusive - various clarifications and small improvements * Release v0.6 * small nits for smoother readability * This PR is to create signed commits to be able to merge (#50) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add consesnus and blockchain specs, (#52) - Open questions - Do we want to split lite client work from consesnsus - From the blockchain spec, is encoding nessecary in the spec Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add ABCI SPEC (#51) - move the abci spec from tendermint to spec repo Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec/consensus/signing: add more details about nil and amnesia (#54) - Add more details about nil votes and about amnesia attacks Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add Section for P2P (#53) * Add Section for P2P - moved over the section on p2p Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add some more files Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Fix model section * Add non-recursive specification of Bisection algorithm - Fix timing issues by introducing Delta parameter * spec: update spec with tendermint updates (#62) * spec: update spec with tendermint updates - this in preperation of deleting the spec folder in docs in tendermint/tendermint Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec: added in reactors & p2p Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec: update readme in spec to comply with docs site Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * docs: addded more changes from tednermint/tendermint Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * reflect breaking changes made to Commit (#63) * reflect breaking changes made to Commit PR: https://github.com/tendermint/tendermint/pull/4146 Issue: https://github.com/tendermint/tendermint/issues/1648 * types: rename Commit#Precommits to Signatures * update BlockIDFlagAbsent comment * remove iota * Clean up error conditions and simplify pseudocode * Apply suggestions from code review Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com> * Add spec doc about unconditional_peer, persistent_peers_max_dial of ADR-050 (#68) * Add spec doc about unconditional_peer_ids, persistent_peers_max_dial_period of ADR-050 * Add indefinitely dialing condition * Add sr25519 amino documentation (#67) * sr25519 amino * Update spec/blockchain/encoding.md Co-Authored-By: Marko <marbar3778@yahoo.com> * some suggestions for pseuodocode changes * Improved error handling * Add explanation on difference between trusted models * Address reviewer's comments * Addressing reviewer's comments * Separating algorithm from proofs * Intermediate commit (aligning spec with the code) * Removing Store from API and providing end-to-end timing guarantees * Address reviewer comment's. Intermediate commit * light client dir and readmes * titles * add redirects * add diagram * detection TODO * fix image * update readme * Aligh the correctness arguments with the pseudocode changes * lite->light * Fix link in readme ./light -> ./light-client * p2p: Merlin based malleability fixes (#72) * Update the secret connection spec with the use of merlin to eliminte handshake malleability * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * docs: update specs to remove cmn (#77) - cmn was remvoed in favor of sub pkgs. cmn.kvpair is now kv.pair Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * evidence: Add time to evidence params (#69) * evidence: Add time to evidence params - this pr is grouped together with https://github.com/tendermint/tendermint/pull/4254, once that PR is merged then this one can be as well. Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * remove note Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Apply suggestions from code review Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * update link to the pex reactor * add markdown link checker * changed tab spacing * removed folder-path flag * first attempt at fixing all links * second attempt at fixing all links * codeowners: add code owners (#82) * codeowners: add code owners - added some codeowners please comment if youd like to be added as well. Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * remove comment of repo maintainers * remove .idea dir (#83) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * RFC-001: configurable block retention (#84) * Added RFC for truncated block history coordination * Clarified minimum block retention * Added hard checks on block retention and snapshot interval, and made some minor tweaks * Genesis parameters are immutable * Use local config for snapshot interval * Reordered parameter descriptions * Clarified local config option for snapshot-interval * rewrite for ABCI commit response * Renamed RFC * add block retention diagram * Removed retain_blocks table * fix image numbers * resolved open questions * image quality * accept RFC-001 (#86) * abci: add basic description of ABCI Commit.ResponseHeight (#85) Documentation for block pruning, once it's merged: tendermint/tendermint#4588. Minimum documentation, for now - we probably shouldn't encourage using this feature too much until we release state sync. * abci: add MaxAgeNumBlocks/MaxAgeDuration to EvidenceParams (#87) * abci: update MaxAgeNumBlocks & MaxAgeDuration docs (#88) * document state sync ABCI interface and P2P protocol (#90) The corresponding Tendermint PRs are tendermint/tendermint#4704 and tendermint/tendermint#4705. * Revert "document state sync ABCI interface and P2P protocol (#90)" (#92) This reverts commit9842b4b0fb. * blockchain: change validator set sorting method (#91) * abci: specify sorting of RequestInitChain.Validators * blockchain: change validator sorting method Refs https://github.com/tendermint/tendermint/issues/2478 * reactors/pex: specify hash function (#94) https://github.com/tendermint/tendermint/pull/4810/files * document state sync ABCI interface and P2P protocol (#93) * Revert "Revert "document state sync ABCI interface and P2P protocol (#90)" (#92)" This reverts commit90797cef90. * update with new enum case * fix links Co-authored-by: Erik Grinaker <erik@interchain.berlin> * Update evidence params with MaxNum (#95) evidence params now includes maxNum which is the maximum number of evidence that can be committed on a single block * reactors/pex: masked IP is used as group key (#96) * spec: add ProofTrialPeriod to EvidenceParam (#99) * spec: modify Header.LastResultsHash (#97) Refs: https://github.com/tendermint/tendermint/issues/1007 PR: https://github.com/tendermint/tendermint/pull/4845 * spec: link to abci server implementations (#100) * spec: update evidence in blockchain.md (#108) now evidence reflects the actual evidence present in the tendermint repo * abci: add AppVersion to ConsensusParams (#106) * abci: tweak node sync estimate (#115) * spec/abci: expand on Validator#Address (#118) Refs https://github.com/tendermint/tendermint/issues/3732 * blockchain: rename to core (#123) * blockchain: remove duplicate evidence sections (#124) * spec/consensus: canonical vs subjective commit Refs https://github.com/tendermint/tendermint/issues/2769 * Apply suggestions from code review Co-authored-by: Igor Konnov <igor.konnov@gmail.com> * update spec with the removal of phantom validator evidence (#126) * bring blockchain back * add correct links * spec: revert event hashing (#132) * Evidence time is sourced from block time (#138) * RFC-002: non-zero genesis (#119) * abci: add ResponseInitChain.app_hash (#140) * update hashing of empty inputs, and initial block LastResultsHash (#141) * update evidence verification (#139) * accept RFC-002 (#142) * add description of arbitrary initial height (#135) * update ResponseInitChain.app_hash description (#143) * remove unused directories and update README (#145) This change removes unused directories (`papers` and `research`) and updates the README to reflect our strategy for merging the informalsystems/tendermint-rs specs into this repository. Partially addresses #121. * ci: add markdown linter (#146) * ci: add dependabot config (#148) * build(deps): bump gaurav-nelson/github-action-markdown-link-check from 0.6.0 to 1.0.7 (#149) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 0.6.0 to 1.0.7. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: add sections to abci (#150) * spec: update abci events (#151) * spec: extract light-client to its own directory (#152) Co-authored-by: Callum Waters <cmwaters19@gmail.com> * spec: remove evidences (#153) * add a stale bot (#134) * Current versions of light client specs from tendermint-rs (#158) * current versions of light client specs from tendermint-rs * markdown lint * linting * links * links * links Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * Fastsync spec from tendermint-rs (#157) * fastsync spec from tendermint-rs * fixed broken link * fixed linting * more fixes * markdown lint * move fast_sync to rust-spec Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * Update README.md (#160) * spec/reactors/mempool: batch txs per peer (#155) * spec/reactors/mempool: batch txs per peer Refs https://github.com/tendermint/tendermint/issues/625 * update * spec: Light client attack detector (#164) * start with new detection and evidence spec * more definitions at top * sketch of functions * pre post draft * evidence proof * typo * evidence theory polished * some TODOs resolved * more TODOs * links * second to last revision before PR * links * I will read once more and then make a PR * removed peer handling definitions * secondary * ready to review * detector ready for review * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md * skip-trace * PossibleCommit explained * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * comments by Zarko * renamed and changed link in README Co-authored-by: Zarko Milosevic <zarko@informal.systems> * fixed an overlooked conflict (#167) * describe valset sorting according to v0.34 requirements (#169) * evidence: update data structures (#165) * fix markdown linter (#172) * TLA+ specs from MBT revision (#173) * remove setOption (#181) * spec: protobuf changes (#156) Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * first check latest with secondary (#184) * Extending the blockchain specification (in the light client) to produce different ratios of faults (#183) * cleaning unused definitions * introduced the ratio of faulty processes * Update README.md (#185) * build(deps): bump gaurav-nelson/github-action-markdown-link-check from 1.0.7 to 1.0.8 (#188) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.7 to 1.0.8. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.7...e3c371c731b2f494f856dc5de7f61cea4d519907) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * spec: update light client verification to match supervisor (#171) * VDD renaming of verification spec + links fixed * latest() * backwards * added TODOs * link in old file to new name * better text * revision done. needs one more round of reading * renamed constants in 001 according to TLA+ and impl * ready for PR * forgot linting * Update rust-spec/lightclient/verification/verification_002_draft.md * Update rust-spec/lightclient/verification/verification_002_draft.md * added lightstore function needed for supervisor * added lightstore functions for supervisor * ident * Update rust-spec/lightclient/verification/verification_002_draft.md * github: issue template for proposals (#190) * Sequential Supervisor (#186) * move from tendermint-rs but needs discussion * markdown lint * TODO links replaced * links * links * links lint * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * moved peer handling definitions to supervisor * polishing * rename * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * changes to maintain StateVerified again * ready for changes in verification * start of supervisor * module name * fixed * more details * supevisor completed. Now I have to add function to verification * ready for review * tla comment * removed issues * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * intro text fixed * indentation * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * comment to entry points Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * RFC: adopt zip 215 (#144) Co-authored-by: Robert Zaremba <robert@zaremba.ch> * Core: move validation & data structures together (#176) Co-authored-by: Callum Waters <cmwaters19@gmail.com> * docs: make blockchain not viewable (#211) * evidence: update data structures to reflect added support of abci evidence (#213) * encoding: add secp, ref zip215, tables (#212) * Detector English Spec ready (#215) Add detector English spec * add Ivy proofs (#210) * add Ivy proofs * fix docker-compose command * Light client detector spec in TLA+ and refactoring of light client verification TLA+ spec (#216) Add light client detector spec in TLA+ * abci: lastcommitinfo.round extra sentence (#221) * abci: add abci_version to requestInfo (#223) * BFT requires _less than_ 1/3 faulty validators (#228) Thanks fo spotting the imprecision in the text, @shahankhatch ! * Draft of evidence handling for discussion (#225) * start with accountability deliverable * problem statement * draft function * quite complete draft. ready to discuss with Igor * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * ready for TLA+ to take over * isolate * isolateamnesiatodos * Update isolate-attackers_001_draft.md * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * The TLA+ specification of the attackers detection (#231) * the working attackers isolation spec, needs more comments * the TLA+ spec of the attackers isolation * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#233) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.8 to 1.0.11. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.8...2a60e0fe41b5361f446ccace6621a1a2a5c324cf) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Computing attack types (#232) Add light attack evidence handling * Update README.md (#234) * p2p: update frame size (#235) Reflect the change made in https://github.com/tendermint/tendermint/pull/5805 The MTU (Maximum Transmission Unit) for Ethernet is 1500 bytes. The IP header and the TCP header take up 20 bytes each at least (unless optional header fields are used) and thus the max for (non-Jumbo frame) Ethernet is 1500 - 20 -20 = 1460 Source: https://stackoverflow.com/a/3074427/820520 * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#239) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.11 to 1.0.12. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.11...0fe4911067fa322422f325b002d2038ba5602170) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * layout: add section titles (#240) * reactors: remove bcv1 (#241) * abci: rewrite to proto interface (#237) * Update supervisor_001_draft.md (#243) * spec: remove reactor section (#242) Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * non-critical bugfix in the TLA+ spec (found by new version of apalache) (#244) * params: remove block timeiota (#248) * proto: add files (#246) Co-authored-by: Erik Grinaker <erik@interchain.berlin> * proto: modify height int64 to uint64 (#253) * abci: note on concurrency (#258) Co-authored-by: Marko <marbar3778@yahoo.com> * spec: merge rust-spec (#252) * Fix list of RFCs (#266) * readme: cleanup (#262) * modify readme * add rfc and proto * add rust=spec back to avoid breakage * lint readme * genesis: Explain fields in genesis file (#270) * describe the genesis * Update spec/core/genesis.md Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Callum Waters <cmwaters19@gmail.com> * add wording on app_state * Update spec/core/genesis.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * p2p: links (#268) * fix links * fix more links * Proposer-based timestamp specification (#261) * added proposer-based timestamp spec * Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> * Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> * Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md Co-authored-by: Marko <marbar3778@yahoo.com> * Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md * Update spec/consensus/proposer-based-timestamp/pbts-sysmodel_001_draft.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fixes from PR Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: Marko <marbar3778@yahoo.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * abci: reorder sidebar (#282) * ABCI++ RFC (#254) * ABCI++ RFC This commit adds an RFC for ABCI++, which is a collection of three new phases of communication between the consensus engine and the application. Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> * Fix bugs pointed out by @liamsi * Update rfc/004-abci++.md Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> * Fix markdown lints * Update rfc/004-abci++.md Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update rfc/004-abci++.md Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * Update rfc/004-abci++.md Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * Add information about the rename in the context section * Bold RFC * Add example for self-authenticating vote data * More exposition of the term IPC * Update pros / negatives * Fix sentence fragment * Add desc for no-ops Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * RFC: ReverseSync - fetching historical data (#224) * core: update a few sections (#284) * p2p: update state sync messages for reverse sync (#285) * Update README.md (#286) * rpc: define spec for RPC (#276) * add rpc spec and support outline * add json * add more routes remove unneeded ones * add rest of rpc endpoints * add jsonrpc calls * add more jsonrpc calls * fix blockchain * cleanup unused links and add links to repos * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * add missing param from consensus param * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fix cast and add doc to readme Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local> * A few improvements to the Ivy proof (#288) * Avoid quantifier alternation cycle The problematic quantifier alternation cycle arose because the definition of accountability_violation was unfolded. This commit also restructures the induction proof for clarity. * add count_lines.sh * fix typo and add forgotten complete=fo in comment Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com> * Fixed a broken link (#291) * fix message type for block-sync (#298) * lint: fix lint errors (#301) * build(deps): bump actions/stale from 3 to 3.0.18 (#300) Bumps [actions/stale](https://github.com/actions/stale) from 3 to 3.0.18. - [Release notes](https://github.com/actions/stale/releases) - [Commits](https://github.com/actions/stale/compare/v3...v3.0.18) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/stale from 3.0.18 to 3.0.19 (#302) Bumps [actions/stale](https://github.com/actions/stale) from 3.0.18 to 3.0.19. - [Release notes](https://github.com/actions/stale/releases) - [Commits](https://github.com/actions/stale/compare/v3.0.18...v3.0.19) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * rename HasVote to ReceivedVote (#289) * add a changelog to track changes (#303) * add a changelog to track changes * Update CHANGELOG.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * rpc: clarify timestamps (#304) * clarify timestamps * changelog entry * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * rpc: add chunked genesis endpoint (#299) * rpc: add chunked genesis endpoint * fix lint * feedback * add info about error * fix lint Co-authored-by: marbar3778 <marbar3778@yahoo.com> * update ResponseCheckTx (#306) * rpc: Add totalGasUSed to block_results response (#308) * Add C++ code generation and test scenario (#310) * add parameters to byzantine send action * make net not trusted it's not necessary since for proofs Ivy will assume that the environment does not break action preconditions * use require instead of assume it seems that assume is not checked when other isolates call! * add comment * add comment * run with random seed * make domain model extractable to C++ * substitute require for assume assumes in an action are not checked when the action is called! I.e. they place no requirement on the caller; we're just assuming that the caller is going to do the right thing. This wasn't very important here but it leade to a minor inconsistency slipping through. * make the net isolate not trusted there was no need for it * add tendermint_test.ivy contains a simple test scenario that show that the specification is no vacuuous * update comment * add comments * throw if trying to parse nset value in the repl * add comment * minor refactoring * add new pex messages (#312) * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#313) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.12 to 1.0.13. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.12...1.0.13) --- updated-dependencies: - dependency-name: gaurav-nelson/github-action-markdown-link-check dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update spec to reference currently used timestamp type (#317) * build(deps): bump actions/stale from 3.0.19 to 4 (#319) Bumps [actions/stale](https://github.com/actions/stale) from 3.0.19 to 4. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v3.0.19...v4) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * address discrepancies between spec and implementation (#322) * update proto files for release (#318) * stale bot: ignore issues (#325) * evidence: add section explaining evidence (#324) * statesync: new messages for gossiping consensus params (#328) * rpc: update peer format in specification in NetInfo operation (#331) * Update supervisor_001_draft.md (#334) * core: text cleanup (#332) * abci: clarify what abci stands for (#336) * abci: clarify what abci stands for * link to abci type protos. * abci: clarify connection use in-process (#337) * abci: clarify connection use in-process * Update abci.md * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * invert abci explanations * lint++ * lint++ * lint++ * lint++ Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * proto: move proto files under the correct directory related to their package name (#344) * abci.md fixup (#339) * abci: points of clarification ahead of v0.1.0 * lint++ * typo * lint++ * double word score * grammar * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * pr feedback * wip * update non-zero status code docs * fix event description * update CheckTx description Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update supervisor_001_draft.md (#333) * Update supervisor_001_draft.md If the only node in the *FullNodes* set is the primary, that was just deemed faulty, we can't find honest primary. * Update supervisor_001_draft.md * light: update initialization description (#320) * apps.md fixups (#341) * wip * wip * wip * remove comments in favor of gh comments * wip * udpates to language, should must etc * Apply suggestions from code review Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * remove tendermint cache description Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * proto: add tendermint go changes (#349) * add missed proto files * add abci changes * rename blockchain to blocksync * Update proto/tendermint/abci/types.proto Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fix mockery generation script (#9094) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> Co-authored-by: Milosevic, Zarko <zare.milosevic@gmail.com> Co-authored-by: Milosevic, Zarko <zare.milosevic@sicpa.com> Co-authored-by: Zarko Milosevic <zarko@tendermint.com> Co-authored-by: Marko <marbar3778@yahoo.com> Co-authored-by: Zarko Milosevic <zarko@interchain.io> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: dongsamb <dongsamb@gmail.com> Co-authored-by: Sunny Aggarwal <sunnya97@gmail.com> Co-authored-by: Anca Zamfir <anca@interchain.io> Co-authored-by: Ethan Buchman <ethan@coinculture.info> Co-authored-by: Zarko Milosevic <zarko@informal.systems> Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> Co-authored-by: Zaki Manian <zaki@tendermint.com> Co-authored-by: Erik Grinaker <erik@interchain.berlin> Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> Co-authored-by: Alexander Simmerl <a.simmerl@gmail.com> Co-authored-by: Igor Konnov <igor.konnov@gmail.com> Co-authored-by: Sean Braithwaite <brapse@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: Andrey Kuprianov <59489470+andrey-kuprianov@users.noreply.github.com> Co-authored-by: Igor Konnov <konnov@forsyte.at> Co-authored-by: Sam Hart <sam@hxrts.com> Co-authored-by: Robert Zaremba <robert@zaremba.ch> Co-authored-by: Giuliano <giuliano@losa.fr> Co-authored-by: Shahan Khatchadourian <shahan.k.code@gmail.com> Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> Co-authored-by: istoilkovska <anili100@gmail.com> Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: Sam Kleinman <garen@tychoish.com> Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local> Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com> Co-authored-by: Jordan Sexton <jordan@jordansexton.com> Co-authored-by: MengXiangJian <805442788@qq.com> Co-authored-by: Yixin Luo <18810541851@163.com> Co-authored-by: crypto-facs <84574577+crypto-facs@users.noreply.github.com> Co-authored-by: Giuliano <giuliano@galois.com> Co-authored-by: William Banfield <4561443+williambanfield@users.noreply.github.com> Co-authored-by: Mateusz Górski <goral09@users.noreply.github.com> Co-authored-by: M. J. Fromberger <fromberger@interchain.io> Co-authored-by: Thane Thomson <connect@thanethomson.com>
398 lines
21 KiB
TeX
398 lines
21 KiB
TeX
|
|
\section{Tendermint consensus algorithm} \label{sec:tendermint}
|
|
|
|
\newcommand\Disseminate{\textbf{Disseminate}}
|
|
|
|
\newcommand\Proposal{\mathsf{PROPOSAL}}
|
|
\newcommand\ProposalPart{\mathsf{PROPOSAL\mbox{-}PART}}
|
|
\newcommand\PrePrepare{\mathsf{INIT}} \newcommand\Prevote{\mathsf{PREVOTE}}
|
|
\newcommand\Precommit{\mathsf{PRECOMMIT}}
|
|
\newcommand\Decision{\mathsf{DECISION}}
|
|
|
|
\newcommand\ViewChange{\mathsf{VC}}
|
|
\newcommand\ViewChangeAck{\mathsf{VC\mbox{-}ACK}}
|
|
\newcommand\NewPrePrepare{\mathsf{VC\mbox{-}INIT}}
|
|
\newcommand\coord{\mathsf{proposer}}
|
|
|
|
\newcommand\newHeight{newHeight} \newcommand\newRound{newRound}
|
|
\newcommand\nil{nil} \newcommand\id{id} \newcommand{\propose}{propose}
|
|
\newcommand\prevote{prevote} \newcommand\prevoteWait{prevoteWait}
|
|
\newcommand\precommit{precommit} \newcommand\precommitWait{precommitWait}
|
|
\newcommand\commit{commit}
|
|
|
|
\newcommand\timeoutPropose{timeoutPropose}
|
|
\newcommand\timeoutPrevote{timeoutPrevote}
|
|
\newcommand\timeoutPrecommit{timeoutPrecommit}
|
|
\newcommand\proofOfLocking{proof\mbox{-}of\mbox{-}locking}
|
|
|
|
\begin{algorithm}[htb!] \def\baselinestretch{1} \scriptsize\raggedright
|
|
\begin{algorithmic}[1]
|
|
\SHORTSPACE
|
|
\INIT{}
|
|
\STATE $h_p := 0$
|
|
\COMMENT{current height, or consensus instance we are currently executing}
|
|
\STATE $round_p := 0$ \COMMENT{current round number}
|
|
\STATE $step_p \in \set{\propose, \prevote, \precommit}$
|
|
\STATE $decision_p[] := nil$
|
|
\STATE $lockedValue_p := nil$
|
|
\STATE $lockedRound_p := -1$
|
|
\STATE $validValue_p := nil$
|
|
\STATE $validRound_p := -1$
|
|
\ENDINIT
|
|
\SHORTSPACE
|
|
\STATE \textbf{upon} start \textbf{do} $StartRound(0)$
|
|
\SHORTSPACE
|
|
\FUNCTION{$StartRound(round)$} \label{line:tab:startRound}
|
|
\STATE $round_p \assign round$
|
|
\STATE $step_p \assign \propose$
|
|
\IF{$\coord(h_p, round_p) = p$}
|
|
\IF{$validValue_p \neq \nil$} \label{line:tab:isThereLockedValue}
|
|
\STATE $proposal \assign validValue_p$ \ELSE \STATE $proposal \assign
|
|
getValue()$
|
|
\label{line:tab:getValidValue}
|
|
\ENDIF
|
|
\STATE \Broadcast\ $\li{\Proposal,h_p, round_p, proposal, validRound_p}$
|
|
\label{line:tab:send-proposal}
|
|
\ELSE
|
|
\STATE \textbf{schedule} $OnTimeoutPropose(h_p,
|
|
round_p)$ to be executed \textbf{after} $\timeoutPropose(round_p)$
|
|
\ENDIF
|
|
\ENDFUNCTION
|
|
|
|
\SPACE
|
|
\UPON{$\li{\Proposal,h_p,round_p, v, -1}$ \From\ $\coord(h_p,round_p)$
|
|
\With\ $step_p = \propose$} \label{line:tab:recvProposal}
|
|
\IF{$valid(v) \wedge (lockedRound_p = -1 \vee lockedValue_p = v$)}
|
|
\label{line:tab:accept-proposal-2}
|
|
\STATE \Broadcast \ $\li{\Prevote,h_p,round_p,id(v)}$
|
|
\label{line:tab:prevote-proposal}
|
|
\ELSE
|
|
\label{line:tab:acceptProposal1}
|
|
\STATE \Broadcast \ $\li{\Prevote,h_p,round_p,\nil}$
|
|
\label{line:tab:prevote-nil}
|
|
\ENDIF
|
|
\STATE $step_p \assign \prevote$ \label{line:tab:setStateToPrevote1}
|
|
\ENDUPON
|
|
|
|
\SPACE
|
|
\UPON{$\li{\Proposal,h_p,round_p, v, vr}$ \From\ $\coord(h_p,round_p)$
|
|
\textbf{AND} $2f+1$ $\li{\Prevote,h_p, vr,id(v)}$ \With\ $step_p = \propose \wedge (vr \ge 0 \wedge vr < round_p)$}
|
|
\label{line:tab:acceptProposal}
|
|
\IF{$valid(v) \wedge (lockedRound_p \le vr
|
|
\vee lockedValue_p = v)$} \label{line:tab:cond-prevote-higher-proposal}
|
|
\STATE \Broadcast \ $\li{\Prevote,h_p,round_p,id(v)}$
|
|
\label{line:tab:prevote-higher-proposal}
|
|
\ELSE
|
|
\label{line:tab:acceptProposal2}
|
|
\STATE \Broadcast \ $\li{\Prevote,h_p,round_p,\nil}$
|
|
\label{line:tab:prevote-nil2}
|
|
\ENDIF
|
|
\STATE $step_p \assign \prevote$ \label{line:tab:setStateToPrevote3}
|
|
\ENDUPON
|
|
|
|
\SPACE
|
|
\UPON{$2f+1$ $\li{\Prevote,h_p, round_p,*}$ \With\ $step_p = \prevote$ for the first time}
|
|
\label{line:tab:recvAny2/3Prevote}
|
|
\STATE \textbf{schedule} $OnTimeoutPrevote(h_p, round_p)$ to be executed \textbf{after} $\timeoutPrevote(round_p)$ \label{line:tab:timeoutPrevote}
|
|
\ENDUPON
|
|
|
|
\SPACE
|
|
\UPON{$\li{\Proposal,h_p,round_p, v, *}$ \From\ $\coord(h_p,round_p)$
|
|
\textbf{AND} $2f+1$ $\li{\Prevote,h_p, round_p,id(v)}$ \With\ $valid(v) \wedge step_p \ge \prevote$ for the first time}
|
|
\label{line:tab:recvPrevote}
|
|
\IF{$step_p = \prevote$}
|
|
\STATE $lockedValue_p \assign v$ \label{line:tab:setLockedValue}
|
|
\STATE $lockedRound_p \assign round_p$ \label{line:tab:setLockedRound}
|
|
\STATE \Broadcast \ $\li{\Precommit,h_p,round_p,id(v))}$
|
|
\label{line:tab:precommit-v}
|
|
\STATE $step_p \assign \precommit$ \label{line:tab:setStateToCommit}
|
|
\ENDIF
|
|
\STATE $validValue_p \assign v$ \label{line:tab:setValidRound}
|
|
\STATE $validRound_p \assign round_p$ \label{line:tab:setValidValue}
|
|
\ENDUPON
|
|
|
|
\SHORTSPACE
|
|
\UPON{$2f+1$ $\li{\Prevote,h_p,round_p, \nil}$
|
|
\With\ $step_p = \prevote$}
|
|
\STATE \Broadcast \ $\li{\Precommit,h_p,round_p, \nil}$
|
|
\label{line:tab:precommit-v-1}
|
|
\STATE $step_p \assign \precommit$
|
|
\ENDUPON
|
|
|
|
\SPACE
|
|
\UPON{$2f+1$ $\li{\Precommit,h_p,round_p,*}$ for the first time}
|
|
\label{line:tab:startTimeoutPrecommit}
|
|
\STATE \textbf{schedule} $OnTimeoutPrecommit(h_p, round_p)$ to be executed \textbf{after} $\timeoutPrecommit(round_p)$
|
|
|
|
\ENDUPON
|
|
|
|
\SPACE
|
|
\UPON{$\li{\Proposal,h_p,r, v, *}$ \From\ $\coord(h_p,r)$ \textbf{AND}
|
|
$2f+1$ $\li{\Precommit,h_p,r,id(v)}$ \With\ $decision_p[h_p] = \nil$}
|
|
\label{line:tab:onDecideRule}
|
|
\IF{$valid(v)$} \label{line:tab:validDecisionValue}
|
|
\STATE $decision_p[h_p] = v$ \label{line:tab:decide}
|
|
\STATE$h_p \assign h_p + 1$ \label{line:tab:increaseHeight}
|
|
\STATE reset $lockedRound_p$, $lockedValue_p$, $validRound_p$ and $validValue_p$ to initial values
|
|
and empty message log
|
|
\STATE $StartRound(0)$
|
|
\ENDIF
|
|
\ENDUPON
|
|
|
|
\SHORTSPACE
|
|
\UPON{$f+1$ $\li{*,h_p,round, *, *}$ \textbf{with} $round > round_p$}
|
|
\label{line:tab:skipRounds}
|
|
\STATE $StartRound(round)$ \label{line:tab:nextRound2}
|
|
\ENDUPON
|
|
|
|
\SHORTSPACE
|
|
\FUNCTION{$OnTimeoutPropose(height,round)$} \label{line:tab:onTimeoutPropose}
|
|
\IF{$height = h_p \wedge round = round_p \wedge step_p = \propose$}
|
|
\STATE \Broadcast \ $\li{\Prevote,h_p,round_p, \nil}$
|
|
\label{line:tab:prevote-nil-on-timeout}
|
|
\STATE $step_p \assign \prevote$
|
|
\ENDIF
|
|
\ENDFUNCTION
|
|
|
|
\SHORTSPACE
|
|
\FUNCTION{$OnTimeoutPrevote(height,round)$} \label{line:tab:onTimeoutPrevote}
|
|
\IF{$height = h_p \wedge round = round_p \wedge step_p = \prevote$}
|
|
\STATE \Broadcast \ $\li{\Precommit,h_p,round_p,\nil}$
|
|
\label{line:tab:precommit-nil-onTimeout}
|
|
\STATE $step_p \assign \precommit$
|
|
\ENDIF
|
|
\ENDFUNCTION
|
|
|
|
\SHORTSPACE
|
|
\FUNCTION{$OnTimeoutPrecommit(height,round)$} \label{line:tab:onTimeoutPrecommit}
|
|
\IF{$height = h_p \wedge round = round_p$}
|
|
\STATE $StartRound(round_p + 1)$ \label{line:tab:nextRound}
|
|
\ENDIF
|
|
\ENDFUNCTION
|
|
\end{algorithmic} \caption{Tendermint consensus algorithm}
|
|
\label{alg:tendermint}
|
|
\end{algorithm}
|
|
|
|
In this section we present the Tendermint Byzantine fault-tolerant consensus
|
|
algorithm. The algorithm is specified by the pseudo-code shown in
|
|
Algorithm~\ref{alg:tendermint}. We present the algorithm as a set of \emph{upon
|
|
rules} that are executed atomically\footnote{In case several rules are active
|
|
at the same time, the first rule to be executed is picked randomly. The
|
|
correctness of the algorithm does not depend on the order in which rules are
|
|
executed.}. We assume that processes exchange protocol messages using a gossip
|
|
protocol and that both sent and received messages are stored in a local message
|
|
log for every process. An upon rule is triggered once the message log contains
|
|
messages such that the corresponding condition evaluates to $\tt{true}$. The
|
|
condition that assumes reception of $X$ messages of a particular type and
|
|
content denotes reception of messages whose senders have aggregate voting power at
|
|
least equal to $X$. For example, the condition $2f+1$ $\li{\Precommit,h_p,r,id(v)}$,
|
|
evaluates to true upon reception of $\Precommit$ messages for height $h_p$,
|
|
a round $r$ and with value equal to $id(v)$ whose senders have aggregate voting
|
|
power at least equal to $2f+1$. Some of the rules ends with "for the first time" constraint
|
|
to denote that it is triggered only the first time a corresponding condition evaluates
|
|
to $\tt{true}$. This is because those rules do not always change the state of algorithm
|
|
variables so without this constraint, the algorithm could keep
|
|
executing those rules forever. The variables with index $p$ are process local state
|
|
variables, while variables without index $p$ are value placeholders. The sign
|
|
$*$ denotes any value.
|
|
|
|
We denote with $n$ the total voting power of processes in the system, and we
|
|
assume that the total voting power of faulty processes in the system is bounded
|
|
with a system parameter $f$. The algorithm assumes that $n > 3f$, i.e., it
|
|
requires that the total voting power of faulty processes is smaller than one
|
|
third of the total voting power. For simplicity we present the algorithm for
|
|
the case $n = 3f + 1$.
|
|
|
|
The algorithm proceeds in rounds, where each round has a dedicated
|
|
\emph{proposer}. The mapping of rounds to proposers is known to all processes
|
|
and is given as a function $\coord(h, round)$, returning the proposer for
|
|
the round $round$ in the consensus instance $h$. We
|
|
assume that the proposer selection function is weighted round-robin, where
|
|
processes are rotated proportional to their voting power\footnote{A validator
|
|
with more voting power is selected more frequently, proportional to its power.
|
|
More precisely, during a sequence of rounds of size $n$, every process is
|
|
proposer in a number of rounds equal to its voting power.}.
|
|
The internal protocol state transitions are triggered by message reception and
|
|
by expiration of timeouts. There are three timeouts in Algorithm \ref{alg:tendermint}:
|
|
$\timeoutPropose$, $\timeoutPrevote$ and $\timeoutPrecommit$.
|
|
The timeouts prevent the algorithm from blocking and
|
|
waiting forever for some condition to be true, ensure that processes continuously
|
|
transition between rounds, and guarantee that eventually (after GST) communication
|
|
between correct processes is timely and reliable so they can decide.
|
|
The last role is achieved by increasing the timeouts with every new round $r$,
|
|
i.e, $timeoutX(r) = initTimeoutX + r*timeoutDelta$;
|
|
they are reset for every new height (consensus
|
|
instance).
|
|
|
|
Processes exchange the following messages in Tendermint: $\Proposal$,
|
|
$\Prevote$ and $\Precommit$. The $\Proposal$ message is used by the proposer of
|
|
the current round to suggest a potential decision value, while $\Prevote$ and
|
|
$\Precommit$ are votes for a proposed value. According to the classification of
|
|
consensus algorithms from \cite{RMS10:dsn}, Tendermint, like PBFT
|
|
\cite{CL02:tcs} and DLS \cite{DLS88:jacm}, belongs to class 3, so it requires
|
|
two voting steps (three communication exchanges in total) to decide a value.
|
|
The Tendermint consensus algorithm is designed for the blockchain context where
|
|
the value to decide is a block of transactions (ie. it is potentially quite
|
|
large, consisting of many transactions). Therefore, in the Algorithm
|
|
\ref{alg:tendermint} (similar as in \cite{CL02:tcs}) we are explicit about
|
|
sending a value (block of transactions) and a small, constant size value id (a
|
|
unique value identifier, normally a hash of the value, i.e., if $\id(v) =
|
|
\id(v')$, then $v=v'$). The $\Proposal$ message is the only one carrying the
|
|
value; $\Prevote$ and $\Precommit$ messages carry the value id. A correct
|
|
process decides on a value $v$ in Tendermint upon receiving the $\Proposal$ for
|
|
$v$ and $2f+1$ voting-power equivalent $\Precommit$ messages for $\id(v)$ in
|
|
some round $r$. In order to send $\Precommit$ message for $v$ in a round $r$, a
|
|
correct process waits to receive the $\Proposal$ and $2f+1$ of the
|
|
corresponding $\Prevote$ messages in the round $r$. Otherwise,
|
|
it sends $\Precommit$ message with a special $\nil$ value.
|
|
This ensures that correct processes can $\Precommit$ only a
|
|
single value (or $\nil$) in a round. As
|
|
proposers may be faulty, the proposed value is treated by correct processes as
|
|
a suggestion (it is not blindly accepted), and a correct process tells others
|
|
if it accepted the $\Proposal$ for value $v$ by sending $\Prevote$ message for
|
|
$\id(v)$; otherwise it sends $\Prevote$ message with the special $\nil$ value.
|
|
|
|
Every process maintains the following variables in the Algorithm
|
|
\ref{alg:tendermint}: $step$, $lockedValue$, $lockedRound$, $validValue$ and
|
|
$validRound$. The $step$ denotes the current state of the internal Tendermint
|
|
state machine, i.e., it reflects the stage of the algorithm execution in the
|
|
current round. The $lockedValue$ stores the most recent value (with respect to
|
|
a round number) for which a $\Precommit$ message has been sent. The
|
|
$lockedRound$ is the last round in which the process sent a $\Precommit$
|
|
message that is not $\nil$. We also say that a correct process locks a value
|
|
$v$ in a round $r$ by setting $lockedValue = v$ and $lockedRound = r$ before
|
|
sending $\Precommit$ message for $\id(v)$. As a correct process can decide a
|
|
value $v$ only if $2f+1$ $\Precommit$ messages for $\id(v)$ are received, this
|
|
implies that a possible decision value is a value that is locked by at least
|
|
$f+1$ voting power equivalent of correct processes. Therefore, any value $v$
|
|
for which $\Proposal$ and $2f+1$ of the corresponding $\Prevote$ messages are
|
|
received in some round $r$ is a \emph{possible decision} value. The role of the
|
|
$validValue$ variable is to store the most recent possible decision value; the
|
|
$validRound$ is the last round in which $validValue$ is updated. Apart from
|
|
those variables, a process also stores the current consensus instance ($h_p$,
|
|
called \emph{height} in Tendermint), and the current round number ($round_p$)
|
|
and attaches them to every message. Finally, a process also stores an array of
|
|
decisions, $decision_p$ (Tendermint assumes a sequence of consensus instances,
|
|
one for each height).
|
|
|
|
Every round starts by a proposer suggesting a value with the $\Proposal$
|
|
message (see line \ref{line:tab:send-proposal}). In the initial round of each
|
|
height, the proposer is free to chose the value to suggest. In the
|
|
Algorithm~\ref{alg:tendermint}, a correct process obtains a value to propose
|
|
using an external function $getValue()$ that returns a valid value to
|
|
propose. In the following rounds, a correct proposer will suggest a new value
|
|
only if $validValue = \nil$; otherwise $validValue$ is proposed (see
|
|
lines~\ref{line:tab:isThereLockedValue}-\ref{line:tab:getValidValue}).
|
|
In addition to the value proposed, the $\Proposal$ message also
|
|
contains the $validRound$ so other processes are informed about the last round
|
|
in which the proposer observed $validValue$ as a possible decision value.
|
|
Note that if a correct proposer $p$ sends $validValue$ with the $validRound$ in the
|
|
$\Proposal$, this implies that the process $p$ received $\Proposal$ and the
|
|
corresponding $2f+1$ $\Prevote$ messages for $validValue$ in the round
|
|
$validRound$.
|
|
If a correct process sends $\Proposal$ message with $validValue$ ($validRound > -1$)
|
|
at time $t > GST$, by the \emph{Gossip communication} property, the
|
|
corresponding $\Proposal$ and the $\Prevote$ messages will be received by all
|
|
correct processes before time $t+\Delta$. Therefore, all correct processes will
|
|
be able to verify the correctness of the suggested value as it is supported by
|
|
the $\Proposal$ and the corresponding $2f+1$ voting power equivalent $\Prevote$
|
|
messages.
|
|
|
|
A correct process $p$ accepts the proposal for a value $v$ (send $\Prevote$
|
|
for $id(v)$) if an external \emph{valid} function returns $true$ for the value
|
|
$v$, and if $p$ hasn't locked any value ($lockedRound = -1$) or $p$ has locked
|
|
the value $v$ ($lockedValue = v$); see the line
|
|
\ref{line:tab:accept-proposal-2}. In case the proposed pair is $(v,vr \ge 0)$ and a
|
|
correct process $p$ has locked some value, it will accept
|
|
$v$ if it is a more recent possible decision value\footnote{As
|
|
explained above, the possible decision value in a round $r$ is the one for
|
|
which $\Proposal$ and the corresponding $2f+1$ $\Prevote$ messages are received
|
|
for the round $r$.}, $vr > lockedRound_p$, or if $lockedValue = v$
|
|
(see line~\ref{line:tab:cond-prevote-higher-proposal}). Otherwise, a correct
|
|
process will reject the proposal by sending $\Prevote$ message with $\nil$
|
|
value. A correct process will send $\Prevote$ message with $\nil$ value also in
|
|
case $\timeoutPropose$ expired (it is triggered when a correct process starts a
|
|
new round) and a process has not sent $\Prevote$ message in the current round
|
|
yet (see the line \ref{line:tab:onTimeoutPropose}).
|
|
|
|
If a correct process receives $\Proposal$ message for some value $v$ and $2f+1$
|
|
$\Prevote$ messages for $\id(v)$, then it sends $\Precommit$ message with
|
|
$\id(v)$. Otherwise, it sends $\Precommit$ $\nil$. A correct process will send
|
|
$\Precommit$ message with $\nil$ value also in case $\timeoutPrevote$ expired
|
|
(it is started when a correct process sent $\Prevote$ message and received any
|
|
$2f+1$ $\Prevote$ messages) and a process has not sent $\Precommit$ message in
|
|
the current round yet (see the line \ref{line:tab:onTimeoutPrecommit}). A
|
|
correct process decides on some value $v$ if it receives in some round $r$
|
|
$\Proposal$ message for $v$ and $2f+1$ $\Precommit$ messages with $\id(v)$ (see
|
|
the line \ref{line:tab:decide}). To prevent the algorithm from blocking and
|
|
waiting forever for this condition to be true, the Algorithm
|
|
\ref{alg:tendermint} relies on $\timeoutPrecommit$. It is triggered after a
|
|
process receives any set of $2f+1$ $\Precommit$ messages for the current round.
|
|
If the $\timeoutPrecommit$ expires and a process has not decided yet, the
|
|
process starts the next round (see the line \ref{line:tab:onTimeoutPrecommit}).
|
|
When a correct process $p$ decides, it starts the next consensus instance
|
|
(for the next height). The \emph{Gossip communication} property ensures
|
|
that $\Proposal$ and $2f+1$ $\Prevote$ messages that led $p$ to decide
|
|
are eventually received by all correct processes, so they will also decide.
|
|
|
|
\subsection{Termination mechanism}
|
|
|
|
Tendermint ensures termination by a novel mechanism that benefits from the
|
|
gossip based nature of communication (see \emph{Gossip communication}
|
|
property). It requires managing two additional variables, $validValue$ and
|
|
$validRound$ that are then used by the proposer during the propose step as
|
|
explained above. The $validValue$ and $validRound$ are updated to $v$ and $r$
|
|
by a correct process in a round $r$ when the process receives valid $\Proposal$
|
|
message for the value $v$ and the corresponding $2f+1$ $\Prevote$ messages for
|
|
$id(v)$ in the round $r$ (see the rule at line~\ref{line:tab:recvPrevote}).
|
|
|
|
We now give briefly the intuition how managing and proposing $validValue$
|
|
and $validRound$ ensures termination. Formal treatment is left for
|
|
Section~\ref{sec:proof}.
|
|
|
|
The first thing to note is that during good period, because of the
|
|
\emph{Gossip communication} property, if a correct process $p$ locks a value
|
|
$v$ in some round $r$, all correct processes will update $validValue$ to $v$
|
|
and $validRound$ to $r$ before the end of the round $r$ (we prove this formally
|
|
in the Section~\ref{sec:proof}). The intuition is that messages that led to $p$
|
|
locking a value $v$ in the round $r$ will be gossiped to all correct processes
|
|
before the end of the round $r$, so it will update $validValue$ and
|
|
$validRound$ (the line~\ref{line:tab:recvPrevote}). Therefore, if a correct
|
|
process locks some value during good period, $validValue$ and $validRound$ are
|
|
updated by all correct processes so that the value proposed in the following
|
|
rounds will be acceptable by all correct processes. Note
|
|
that it could happen that during good period, no correct process locks a value,
|
|
but some correct process $q$ updates $validValue$ and $validRound$ during some
|
|
round. As no correct process locks a value in this case, $validValue_q$ and
|
|
$validRound_q$ will also be acceptable by all correct processes as
|
|
$validRound_q > lockedRound_c$ for every correct process $c$ and as the
|
|
\emph{Gossip communication} property ensures that the corresponding $\Prevote$
|
|
messages that $q$ received in the round $validRound_q$ are received by all
|
|
correct processes $\Delta$ time later.
|
|
|
|
Finally, it could happen that after GST, there is a long sequence of rounds in which
|
|
no correct process neither locks a value nor update $validValue$ and $validRound$.
|
|
In this case, during this sequence of rounds, the proposed value suggested by correct
|
|
processes was not accepted by all correct processes. Note that this sequence of rounds
|
|
is always finite as at the beginning of every
|
|
round there is at least a single correct process $c$ such that $validValue_c$
|
|
and $validRound_c$ are acceptable by every correct process. This is true as
|
|
there exists a correct process $c$ such that for every other correct process
|
|
$p$, $validRound_c > lockedRound_p$ or $validValue_c = lockedValue_p$. This is
|
|
true as $c$ is the process that has locked a value in the most recent round
|
|
among all correct processes (or no correct process locked any value). Therefore,
|
|
eventually $c$ will be the proper in some round and the proposed value will be accepted
|
|
by all correct processes, terminating therefore this sequence of
|
|
rounds.
|
|
|
|
Therefore, updating $validValue$ and $validRound$ variables, and the
|
|
\emph{Gossip communication} property, together ensures that eventually, during
|
|
the good period, there exists a round with a correct proposer whose proposed
|
|
value will be accepted by all correct processes, and all correct processes will
|
|
terminate in that round. Note that this mechanism, contrary to the common
|
|
termination mechanism illustrated in the
|
|
Figure~\ref{ch3:fig:coordinator-change}, does not require exchanging any
|
|
additional information in addition to messages already sent as part of what is
|
|
normally being called "normal" case.
|
|
|