tarantool
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎proofs/tla/src/storage.tla‎
Lines changed: 645 additions & 0 deletions b/‎proofs/tla/src/storage.tla‎
Lines changed: 645 additions & 0 deletions
diff --git a/‎proofs/tla/src/utils.tla‎
Lines changed: 10 additions & 0 deletions b/‎proofs/tla/src/utils.tla‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/DoubledBucketsSmallTest.cfg‎
Lines changed: 25 additions & 0 deletions b/‎proofs/tla/test/storage/DoubledBucketsSmallTest.cfg‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/DoubledBucketsSmallTest.tla‎
Lines changed: 61 additions & 0 deletions b/‎proofs/tla/test/storage/DoubledBucketsSmallTest.tla‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/DoubledBucketsTest.cfg‎
Lines changed: 26 additions & 0 deletions b/‎proofs/tla/test/storage/DoubledBucketsTest.cfg‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/DoubledBucketsTest.tla‎
Lines changed: 74 additions & 0 deletions b/‎proofs/tla/test/storage/DoubledBucketsTest.tla‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/MasterDoubledTest.cfg‎
Lines changed: 20 additions & 0 deletions b/‎proofs/tla/test/storage/MasterDoubledTest.cfg‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/MasterDoubledTest.tla‎
Lines changed: 93 additions & 0 deletions b/‎proofs/tla/test/storage/MasterDoubledTest.tla‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎proofs/tla/test/storage/RecoveryGarbageTest.cfg‎
Lines changed: 24 additions & 0 deletions b/‎proofs/tla/test/storage/RecoveryGarbageTest.cfg‎
Lines changed: 24 additions & 0 deletions
@@ -21,3 +21,7 @@ build
 .rocks
 build.luarocks
 .DS_Store
+
+# TLA+ files
+states/
+*_TTrace_*
@@ -0,0 +1,10 @@
+------------------------------- MODULE utils -----------------------------------
+
+EXTENDS Naturals, FiniteSets
+
+RECURSIVE SetSum(_)
+SetSum(set) == IF set = {} THEN 0 ELSE
+  LET x == CHOOSE x \in set: TRUE
+    IN x + SetSum(set \ {x})
+
+================================================================================
@@ -0,0 +1,25 @@
+INIT Init
+NEXT Next
+
+CONSTANTS
+    Storages <- StoragesC
+    ReplicaSets <- ReplicaSetsC
+    BucketIds <- BucketIdsC
+    StorageAssignments <- StorageAssignmentsC
+    BucketAssignments <- BucketAssignmentsC
+    MasterAssignments <- MasterAssignmentsC
+    b1 = b1
+    b2 = b2
+
+SYMMETRY Symmetry
+
+INVARIANTS
+    NetworkTypeInv
+    StorageTypeInv
+    StorageToReplicasetTypeInv
+    NoActiveSimultaneousInv
+
+CONSTRAINTS
+    SendLimitConstraint
+    NetworkBoundConstraint
+    TwoMastersConstraint
@@ -0,0 +1,61 @@
+-------------------------MODULE DoubledBucketsSmallTest ------------------------
+EXTENDS storage, utils
+
+CONSTANTS b1, b2
+
+StoragesC == {"s1", "s2", "s3", "s4"}
+ReplicaSetsC == {"rs1", "rs2"}
+BucketIdsC == {b1, b2}
+StorageAssignmentsC == [rs1 |-> {"s1", "s2"},
+                       rs2 |-> {"s3", "s4"}]
+BucketAssignmentsC == [rs1 |-> {b1},
+                       rs2 |-> {b2}]
+MasterAssignmentsC == [rs1 |-> {"s1"},
+                       rs2 |-> {"s3"}]
+
+(***************************************************************************)
+(*                           CONSTRAINTS                                   *)
+(***************************************************************************)
+
+MAX_TOTAL_SENDS == 1
+
+\* 1. Limit total bucket sends - prevent endless transfers.
+SendLimitConstraint ==
+    LET totalSends ==
+        SetSum({ storages[i].errinj.bucketSendCount : i \in Storages })
+    IN totalSends =< MAX_TOTAL_SENDS
+
+\* 2. Allow only a small number of concurrent masters.
+TwoMastersConstraint ==
+    Cardinality({s \in Storages : storages[s].status = "master"}) =< 2
+
+\* 3. Keep network bounded - avoid message explosion.
+NetworkBoundConstraint ==
+    \A s1, s2 \in StoragesC :
+        Len(network[s1][s2]) =< 2
+
+(***************************************************************************)
+(*                            SYMMETRY                                     *)
+(***************************************************************************)
+
+Symmetry ==
+    Permutations(BucketIdsC)
+
+(***************************************************************************)
+(*                           STATE INVARIANTS                              *)
+(***************************************************************************)
+
+NoActiveSimultaneousInv ==
+    \* No bucket can be ACTIVE in storages belonging to different ReplicaSets
+    \A b \in BucketIds :
+        \A rs1, rs2 \in ReplicaSets :
+            rs1 # rs2 =>
+                ~(\E s1, s2 \in Storages :
+                     storageToReplicaset[s1] = rs1 /\
+                     storageToReplicaset[s2] = rs2 /\
+                     storages[s1].status = "master" /\
+                     storages[s2].status = "master" /\
+                     storages[s1].buckets[b].status = "ACTIVE" /\
+                     storages[s2].buckets[b].status = "ACTIVE")
+
+================================================================================
@@ -0,0 +1,26 @@
+INIT Init
+NEXT Next
+
+CONSTANTS
+    Storages <- StoragesC
+    ReplicaSets <- ReplicaSetsC
+    BucketIds <- BucketIdsC
+    StorageAssignments <- StorageAssignmentsC
+    BucketAssignments <- BucketAssignmentsC
+    MasterAssignments <- MasterAssignmentsC
+    b1 = b1
+    b2 = b2
+    b3 = b3
+
+SYMMETRY Symmetry
+
+INVARIANTS
+    NetworkTypeInv
+    StorageTypeInv
+    StorageToReplicasetTypeInv
+    NoActiveSimultaneousInv
+
+CONSTRAINT
+    SendLimitConstraint
+    NetworkBoundConstraint
+    RefConstraint
@@ -0,0 +1,74 @@
+------------------------- MODULE DoubledBucketsTest ----------------------------
+EXTENDS storage, utils
+
+CONSTANTS b1, b2, b3
+
+StoragesC == {"s1", "s2", "s3"}
+ReplicaSetsC == {"rs1", "rs2", "rs3"}
+BucketIdsC == {b1, b2, b3}
+StorageAssignmentsC == [rs1 |-> {"s1"},
+                       rs2 |-> {"s2"},
+                       rs3 |-> {"s3"}]
+BucketAssignmentsC == [rs1 |-> {b1},
+                       rs2 |-> {b2},
+                       rs3 |-> {b3}]
+MasterAssignmentsC == [rs1 |-> {"s1"},
+                       rs2 |-> {"s2"},
+                       rs3 |-> {"s3"}]
+
+(***************************************************************************)
+(*                           CONSTRAINTS                                   *)
+(***************************************************************************)
+
+MAX_TOTAL_SENDS == 2
+
+\* 1. Limit total bucket sends - prevent endless transfers.
+SendLimitConstraint ==
+    LET totalSends ==
+        SetSum({ storages[i].errinj.bucketSendCount : i \in StoragesC })
+    IN totalSends =< MAX_TOTAL_SENDS
+
+\* 2. Keep network bounded - avoid message explosion.
+NetworkBoundConstraint ==
+    /\ \A s1, s2 \in StoragesC :
+            Len(network[s1][s2]) =< 3
+    /\ \A s \in StoragesC :
+        /\ storages[s].errinj.networkReorderCount <= 1
+        /\ storages[s].errinj.networkDropCount <= 1
+
+RefConstraint ==
+    \A s1 \in StoragesC :
+        /\ storages[s1].errinj.bucketRWRefCount <= 0
+        /\ storages[s1].errinj.bucketRORefCount <= 0
+        /\ storages[s1].errinj.bucketRWUnRefCount <= 0
+        /\ storages[s1].errinj.bucketROUnRefCount <= 0
+
+(***************************************************************************)
+(*                            SYMMETRY                                     *)
+(***************************************************************************)
+
+Symmetry ==
+    Permutations(BucketIdsC)
+
+(***************************************************************************)
+(*                           STATE INVARIANTS                              *)
+(***************************************************************************)
+
+NoActiveSimultaneousInv ==
+    \* No bucket can be ACTIVE in storages belonging to different ReplicaSets
+    \A b \in BucketIds :
+        \A rs1, rs2 \in ReplicaSets :
+            rs1 # rs2 =>
+                ~(\E s1, s2 \in Storages :
+                     storageToReplicaset[s1] = rs1 /\
+                     storageToReplicaset[s2] = rs2 /\
+                     storages[s1].status = "master" /\
+                     storages[s2].status = "master" /\
+                     storages[s1].buckets[b].status = "ACTIVE" /\
+                     storages[s2].buckets[b].status = "ACTIVE")
+
+(***************************************************************************)
+(*                           MODEL CHECKING PROPERTIES                     *)
+(***************************************************************************)
+
+================================================================================
@@ -0,0 +1,20 @@
+INIT TestInit
+NEXT TestNext
+
+CONSTANTS
+    Storages <- StoragesC
+    ReplicaSets <- ReplicaSetsC
+    BucketIds <- BucketIdsC
+    StorageAssignments <- StorageAssignmentsC
+    BucketAssignments <- BucketAssignmentsC
+    MasterAssignments <- MasterAssignmentsC
+    b1 = b1
+    b2 = b2
+    b3 = b3
+    b4 = b4
+
+INVARIANTS
+    NetworkTypeInv
+    StorageTypeInv
+    StorageToReplicasetTypeInv
+    NoActiveSimultaneousInv
@@ -0,0 +1,93 @@
+-------------------------- MODULE MasterDoubledTest ----------------------------
+EXTENDS storage, TLC
+
+(***************************************************************************)
+(* Cluster: two replica sets, two storages each.                           *)
+(* We'll force rs1 to send a bucket to rs2, lose replication, and failover.*)
+(***************************************************************************)
+
+CONSTANTS
+  b1, b2, b3, b4
+
+StoragesC == {"s1", "s2", "s3", "s4"}
+ReplicaSetsC == {"rs1", "rs2"}
+BucketIdsC == {b1, b2, b3, b4}
+StorageAssignmentsC ==
+    [rs1 |-> {"s1", "s2"},
+     rs2 |-> {"s3", "s4"}]
+BucketAssignmentsC ==
+    [rs1 |-> {b1, b2},
+     rs2 |-> {b3, b4}]
+MasterAssignmentsC ==
+    [rs1 |-> {"s1"},
+     rs2 |-> {"s3"}]
+
+(***************************************************************************)
+(* Variables and initialization                                            *)
+(***************************************************************************)
+
+VARIABLE phase
+
+TestInit ==
+  /\ Init
+  /\ phase = 1
+
+(***************************************************************************)
+(* Phase-driven Next                                                       *)
+(***************************************************************************)
+
+TestNext ==
+  \/ /\ phase = 1
+     /\ ~(
+          storages["s1"].buckets[b1].status = "SENT"
+          /\ storages["s3"].buckets[b1].status = "ACTIVE"
+        )
+     /\ \E i \in {"s1"}, j \in {"s3"}, b \in {b1} :
+          \/ StorageStateApply(i, BucketSendStart(StorageState(i), b, j))
+          \/ /\ Len(StorageState(j).networkReceive[i]) > 0
+             /\ \/ StorageStateApply(j, BucketRecvStart(StorageState(j), i))
+                \/ StorageStateApply(j, BucketRecvFinish(StorageState(j), i))
+          \/ /\ Len(StorageState(i).networkReceive[j]) > 0
+             /\ StorageStateApply(i, BucketSendFinish(StorageState(i), j))
+     /\ UNCHANGED <<storageToReplicaset, phase>>
+
+  \/ /\ phase = 1
+     /\ storages["s1"].buckets[b1].status = "SENT"
+     /\ storages["s3"].buckets[b1].status = "ACTIVE"
+     /\ UNCHANGED <<network, storages, storageToReplicaset>>
+     /\ phase' = 3
+
+  \/ /\ phase = 3
+     /\ \E i \in {"s2"} :
+          /\ StorageStateApply(i, BecomeMaster(StorageState(i)))
+          /\ PrintT("Phase 3: failover, s2 becomes master")
+     /\ phase' = 4
+
+  \/ /\ phase = 4
+     /\ UNCHANGED <<network, storages, storageToReplicaset, phase>>
+     /\ PrintT("Phase 4: check for double ACTIVE")
+
+(***************************************************************************)
+(* Spec                                                                    *)
+(***************************************************************************)
+
+Spec ==
+  TestInit /\ [][TestNext]_<<network, storages, storageToReplicaset, phase>>
+
+(***************************************************************************)
+(*                           STATE INVARIANTS                              *)
+(***************************************************************************)
+
+NoActiveSimultaneousInv ==
+    \* No bucket can be ACTIVE in storages belonging to different ReplicaSets
+    \A b \in BucketIds :
+        \A rs1, rs2 \in ReplicaSets :
+            rs1 # rs2 =>
+                ~(\E s1, s2 \in Storages :
+                     storageToReplicaset[s1] = rs1 /\
+                     storageToReplicaset[s2] = rs2 /\
+                     storages[s1].status = "master" /\
+                     storages[s2].status = "master" /\
+                     storages[s1].buckets[b].status = "ACTIVE" /\
+                     storages[s2].buckets[b].status = "ACTIVE")
+===============================================================================
@@ -0,0 +1,24 @@
+CONSTANTS
+  Storages <- StoragesC
+  ReplicaSets <- ReplicaSetsC
+  BucketIds <- BucketIdsC
+  StorageAssignments <- StorageAssignmentsC
+  BucketAssignments <- BucketAssignmentsC
+  MasterAssignments <- MasterAssignmentsC
+  b1 = b1
+  b2 = b2
+  b3 = b3
+  b4 = b4
+
+INVARIANTS
+    NetworkTypeInv
+    StorageTypeInv
+    StorageToReplicasetTypeInv
+    NoActiveSimultaneousInv
+
+SPECIFICATION Spec
+
+CONSTRAINT SendLimitConstraint
+
+PROPERTY
+    AllBucketsEventuallyStable