Skip to content

Update CheckQuorum and DropIgnoredMessage in ccfraft.tla #7374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
achamayou merged 6 commits into from
Oct 22, 2025
Merged

Update CheckQuorum and DropIgnoredMessage in ccfraft.tla #7374

achamayou merged 6 commits into from
Oct 22, 2025

Conversation

@cjen1-msft
Copy link
Contributor

@cjen1-msft cjen1-msft commented Oct 17, 2025

I found two places where our spec overapproximates the behaviours of CCF.

First CheckQuorum can always trigger on a leader, so in the case of a single nodeconfiguration it can trigger in the spec but never in practise.

Next the DropIgnoredMessage was allowed to drop messages if they were ignored. We specifically don't ignore RequestVote messages from unknown replicas, while this is allowed by the spec.

Both of these were causing false liveness counterexamples in testing of the prevote changes.

achamayou
achamayou reviewed Oct 20, 2025
View reviewed changes
achamayou
achamayou reviewed Oct 20, 2025
View reviewed changes
@achamayou achamayou added the run-long-verification Run Long Verification jobs label Oct 20, 2025
@achamayou
Copy link
Member

achamayou commented Oct 20, 2025

@cjen1-msft when Model Checking, we pass --disable-check-quorum, which goes through here, here and ultimately here.

The simulation is doing some CheckQuorum though.

eddyashton
eddyashton reviewed Oct 20, 2025
View reviewed changes
cjen1-msft and others added 2 commits October 20, 2025 15:41
@cjen1-msft @eddyashton
Update tla/consensus/ccfraft.tla
8deed5f 
Co-authored-by: Eddy Ashton <ashton.eddy@gmail.com>
@cjen1-msft
Add backref to raft.h
4c36b08
@cjen1-msft cjen1-msft marked this pull request as ready for review October 20, 2025 15:07
@cjen1-msft cjen1-msft requested a review from a team as a code owner October 20, 2025 15:07
Copilot AI review requested due to automatic review settings October 20, 2025 15:07
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes two instances where the TLA+ specification over-approximated CCF's behavior, causing false liveness counterexamples. The changes align the specification more closely with the actual implementation by restricting when CheckQuorum can trigger and when messages can be dropped.

  • Adds a constraint to prevent CheckQuorum from triggering in single-node configurations
  • Prevents DropIgnoredMessage from dropping RequestVoteRequest messages from unknown nodes

@cjen1-msft cjen1-msft added this pull request to the merge queue Oct 22, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 22, 2025
@achamayou achamayou added this pull request to the merge queue Oct 22, 2025
Merged via the queue into microsoft:main with commit 0375c3f Oct 22, 2025
27 checks passed
@achamayou achamayou deleted the fix-spec branch October 22, 2025 18:24
@cjen1-msft cjen1-msft added the 6.x-todo PRs which should be backported to 6.x label Nov 5, 2025
cjen1-msft added a commit to cjen1-msft/CCF that referenced this pull request Nov 5, 2025
@cjen1-msft @achamayou @eddyashton
Update CheckQuorum and DropIgnoredMessage in ccfraft.tla (microsoft#7374
73b9b6c 
)

Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
Co-authored-by: Eddy Ashton <ashton.eddy@gmail.com>
@cjen1-msft cjen1-msft mentioned this pull request Nov 5, 2025
Merged
cjen1-msft added a commit to cjen1-msft/CCF that referenced this pull request Nov 5, 2025
@cjen1-msft @achamayou @eddyashton
Update CheckQuorum and DropIgnoredMessage in ccfraft.tla (microsoft#7374
3c14762 
)

Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
Co-authored-by: Eddy Ashton <ashton.eddy@gmail.com>
achamayou pushed a commit that referenced this pull request Nov 17, 2025
@cjen1-msft
[release/6.x] Backport pre-vote capability (#7374, #7375, #7404, #7409,
5120ce9 
#7438, #7445, #7458) (#7436)
@eddyashton eddyashton added the backported This PR was successfully backported to LTS branch label Dec 3, 2025
@eddyashton
Copy link
Member

eddyashton commented Dec 3, 2025

Adding backported label - this was backported in #7436.

@eddyashton eddyashton removed the run-long-verification Run Long Verification jobs label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eddyashton eddyashton eddyashton left review comments

Copilot code review Copilot Copilot left review comments

@achamayou achamayou achamayou approved these changes

Assignees

No one assigned

Labels

6.x-todo PRs which should be backported to 6.x backported This PR was successfully backported to LTS branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cjen1-msft @achamayou @eddyashton