This repository has been archived by the owner on Jun 26, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a document explaining how and why the properties of the update me…
…chanism are tested. Check that stabilization fragments cannot be longer than the stability window. [skip ci]
- Loading branch information
Showing
3 changed files
with
193 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
# Approach to property based testing | ||
|
||
We generate traces of update events. These traces are analyzed per-update | ||
proposal. Given a trace and an update proposal, we divide the trace in | ||
_fragments_, where in each fragment the state of a proposal (as reported by the | ||
update system) remains unchanged. The states a proposal can be in are enumerated | ||
below: | ||
|
||
- unknown: the SIP for the update proposal is not know to the update system. | ||
|
||
The division of the trace in fragments depend on the update system giving the | ||
right information. For instance, it should report the earliest state when an SIP | ||
was submitted. We have tests in place to make sure the update system reports the | ||
correct state. These are described in the next section. | ||
|
||
# State query tests | ||
|
||
## State of an SIP is correctly reported | ||
- It the update system reports that an SIP submission is unknown in the system, | ||
then only implementation submissions corresponding to that SIP are allowed. | ||
- If the system transitions from `unknown` to `SIP submitted` for a given SIP, | ||
then the action that led to the new state must be the submission of said SIP. | ||
- If an SIP is in a `submitted` state, then only implementation submissions | ||
are allowed. | ||
- If an SIP transitions from `submitted` to `stably submitted`, then the | ||
difference between the first slot in which the SIP was reported as `submitted` | ||
and the first slot in which it was reported as `stably submitted` is equal to | ||
the slot length stability window. | ||
- The length in slots of a `submitted` fragment cannot exceed the slot length of | ||
the stability window. | ||
|
||
# Update system requirements | ||
|
||
|
||
|
||
## Open participation | ||
|
||
<!-- what does it mean? --> | ||
|
||
<!-- why is it important --> | ||
|
||
### No valid update payload is rejected | ||
|
||
As long as an update payload is valid, and pays the required fees the system | ||
should not reject it. | ||
|
||
This property is validated through several properties. | ||
|
||
> if a SIP submission is rejected, it is because either the signature is | ||
> invalid, or it was submitted before. The reciprocal of this property implies | ||
> that a valid submission should be accepted. | ||
In the code we check that for all SIP's, and fragments where the SIP is in an | ||
`unknown` state, if a submission of a SIP was rejected in that fragment, then | ||
it is because the signature was invalid. | ||
|
||
This ensures that an SIP can always be submitted if it was not submitted before. | ||
If it was submitted before then the system will not report it as `unknown` (this | ||
is checked in a different property-test) so this case is not interested for this | ||
property. | ||
|
||
> if a SIP revelation is rejected, it is because either: | ||
> - the revelation was submitted before | ||
> - there is no corresponding stable SIP | ||
In the code we check that when an SIP is in the `stably submitted` state, then | ||
the revelation of this SIP cannot be rejected. | ||
|
||
*TODO* we can make an analogous consideration for votes. | ||
|
||
## Decentralized decision making | ||
|
||
### A SIP voted by enough participants can move to the next phase | ||
|
||
In the code we check that for any SIP, in the fragment when the SIP is stably | ||
revealed (which means that its voting period is open), then: | ||
|
||
- No verdict can be reached earlier than the last voting period. | ||
- In the last voting period, the reached verdict coincides with the outcome we | ||
expect (from counting the votes in that period). | ||
|
||
This means that if an SIP should be approved according to the votes we see in | ||
any of its voting periods, then the system should report it as approved. | ||
|
||
We also check that once an SIP is approved and its implementation submitted, it | ||
can go into the `implementation submitted` state (and from there proceed with | ||
the approval phase). | ||
|
||
### A SIP not voted by enough participants cannot move to the next phase | ||
|
||
It the code we check that for any SIP, in the fragment when the SIP is stably | ||
revealed (which means that its voting period is open), then: | ||
|
||
- No verdict can be reached earlier than the last voting period. | ||
- In the last voting period, the reached verdict coincides with the outcome we | ||
expect (from counting the votes in that period). | ||
|
||
This means that if an SIP should be not be approved according to the votes we | ||
see in any of its voting periods, then the system should report it as | ||
not-approved. | ||
|
||
We also check that the system can only enter in the `implementation submitted` | ||
state if the SIP is approved. | ||
|
||
### TODO: similar considerations for implementation votes and endorsements | ||
|
||
## On-chain and protocol-driven | ||
|
||
### Uniqueness of proposals | ||
|
||
For every update proposal there is an unique author that submitted it to the | ||
chain. | ||
|
||
We ensure this by enforcing a commit-reveal scheme. | ||
|
||
In the code we check that SIP's and implementations can only be revealed when | ||
their submissions are stable. | ||
|
||
## Transparent and auditable | ||
|
||
## Securely activated | ||
|
||
### The endorsement threshold at the end of the safety lag is 51% | ||
|
||
At the end of the safety lag the activation of a proposal requires 51% of stake | ||
endorsed. | ||
|
||
In the tests we make sure that the threshold we consider at the last endorsement | ||
interval is 51%. | ||
|
||
## Low impact on blockchain performance | ||
|
||
## Scalable | ||
|
||
## Metadata-driven | ||
|
||
### Priorities are honored | ||
|
||
Updates with higher priority are activated before the ones with lower priorities | ||
(priorities are specified in the proposal's metadata) | ||
|
||
In the tests we check that when a proposal starts an endorsement period, then | ||
all the other candidate proposals have lower priority. On the other hand, we | ||
check that when a proposal is put in the endorsements queue, then any proposal | ||
`being endorsed` must have a higher priority. Furthermore, we ensure that only | ||
`scheduled` proposals can be `activated`, and the `activated` state can only be | ||
reached from the `being endorsed` state. This guarantees that when a proposal is | ||
activated, the there is no other proposal with higher priority that could have | ||
been endorsed. | ||
|
||
### Voting period duration is honored | ||
|
||
The voting period duration of a proposal coincides with the one specified in its | ||
metadata. | ||
|
||
In the tests we divide the fragment in which a proposal is in the `stably | ||
revealed` state (i.e. its voting interval) in voting periods according to the | ||
proposal's metadata. The we tally the votes in those periods and make sure no | ||
valid votes are rejected in any of those period. Thus if the system would have a | ||
different voting period duration a property based tests with good coverage | ||
should detect a case in which either a valid vote was rejected, or we arrive at | ||
a different tally result (either because the interval that the system under test | ||
considers will be shorter or longer, and contain a different number of votes). | ||
|
||
## Dependency and conflict resolving |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters