chore: Add Quint model of Interchain Security

[p-offtermatt]

Description

Closes: #1239

This adds a quint model of interchain Security, based on the existing TLA+ model by @Kukovec.
There are a few notable differences:

• Initializing is removed as a status - this is mostly because my goal is to use the model for MBT, and the initializing state is probably something we would skip past in the tests (also since the interactions with the initializing state aren't very meaningful in the model)
• The actions the model exposes are slightly different, e.g. time advancement and chain status advancement are separate actions and don't happen simultaneously with other actions. This is because this makes the traces easier to test in Quint, i.e. more control over what happens when.
• I model endBlocks for both provider and consumer chains. This is because I think this is a useful extra level of implementation details that will make test traces more meaningful.

Other than that, some implementation details are different. Some are my preference, some are just due to what is more natural to write in Quint, some are to (hopefully) make traces that are easier to use.

When this PR is merged, the model should also be added to the spec repo.

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• Included the correct type prefix in the PR title
• Targeted the correct branch (see PR Targeting)
• Provided a link to the relevant issue or specification
• Reviewed "Files changed" and left comments if necessary
• Confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• Confirmed the correct type prefix in the PR title
• Confirmed all author checklist items have been addressed
• Confirmed that this PR does not change production code

[shaspitz]

Great work! Very useful and well documented. I haven't taken too deep of a dive into model logic yet.

My two cents w.r.t the more broad conversation of using quint vs something like Rapid:

• This model definitely seems readable, so readability of .qnt vs .go isn't an issue.
• I'm still having trouble understanding why quint as a language is more succinct for writing models compared to other programming languages that're more widely known. There are global variables, types, functions, actions etc. defined, all composed together to create what we're referring to as a "model". These abstractions are all possible to encode with golang from my knowledge.
• Can we use a debugger for .qnt like we could with .go files?
• I'm not able to really validate the model logic until I take time to learn quint. This is mostly a me problem :)

[shaspitz]

Is this pretty much an example validator set? If so, why not define it as a ValidatorSet?

[p-offtermatt]

This is supposed to be the set of "potential" full nodes that could be validators, i.e. the validator set will be a subset of these (because some may not have any power=bonded tokens).

[shaspitz]

Can these model parameters be changed? Ie. could we theoretically execute the model with 5 consumers for example

[p-offtermatt]

Yes, exactly, this can be changed.

[shaspitz]

Do tests over the model always have to be explicitly defined? My understanding is that quint somehow enables fuzzed or implicitly generated test cases

[p-offtermatt]

They do not need to be defined, Quint allows doing PBT in-built (checking that given invariants always hold).
This manual test case is mostly there for my benefit while writing the model to gradually check things I introduced, and can complement random testing.

[shaspitz]

Nice!

[p-offtermatt]

Thanks for taking the time to review!

* This model definitely seems readable, so readability of .qnt vs .go isn't an issue.

That's great to hear!

* I'm still having trouble understanding why quint as a language is more succinct for writing models compared to other programming languages that're more widely known. There are global variables, types, functions, actions etc. defined, all composed together to create what we're referring to as a "model". These abstractions are all possible to encode with golang from my knowledge.

In principle, you are right, this can also be written in Golang. One big advantage is that Quint can be model-checked, which we would have a hard time doing with Golang (since it has more fine-grained concepts of e.g. memory, the state space blows up much faster).

* Can we use a debugger for .qnt like we could with .go files?

Something like it, there is a REPL that can serve the same purpose, though it is a bit different in the exact usage.

Thanks again for commenting, it's very helpful to hear different perspectives on this! If you find any of my responses unconvincing, please do let me know!

[shaspitz]

@p-offtermatt thanks for the responses! W.r.t One big advantage is that Quint can be model-checked, what do you mean by this? Is model checking the process of generating a large number of test traces over the described model? From my understanding Rapid has mechanisms which do this, although I admittedly do not have knowledge about the internals

[p-offtermatt]

@p-offtermatt thanks for the responses! W.r.t One big advantage is that Quint can be model-checked, what do you mean by this? Is model checking the process of generating a large number of test traces over the described model? From my understanding Rapid has mechanisms which do this, although I admittedly do not have knowledge about the internals

No, model-checking is more powerful. Intuitively, model-checking is an exhaustive way of checking all possible states of the model for given properties. Imagine for the Cosmos Hub, we want to ensure that token balances of wallets can never become negative. We could just try to show this e.g. via PBT by exhaustively generating test traces. Imagine there are 5 trillion possible states reachable over the course of the next 5 blocks (this is a vast underestimation of the state space for the Cosmos Hub that can be reached in 5 blocks), then exhaustively generating test traces can clearly never cover the whole state space in a reasonable time span. Model-checking in this context would mean checking all 5 trillion possible states, and we could conclusively say that in none of them is a wallet balance negative.

The problem is that model-checking a "full programming language" is very hard and slow, but for Quint it's possible. The proposed workflow then is to write a Quint model -> Model-check the Quint model to confirm it fulfills desirable safety properties -> use model-based testing to confirm the code behaves like the model, thus the code fulfills the desirable properties.

[mpoke]

Partial review before going into the model actions. See my comments below.

[mpoke]

Splitting the model into functional and SM would make these functions pure. For example, just define a type VotingPowerHistories and pass it to the function. I believe this would make the logic much easier to understand and maintain.

[mpoke]

This should be a pure function.

[mpoke]

Wouldn't this be more efficient to just look at the oldest packet in the list? Or we do not remove packets once they arrive?

[mpoke]

Why was the packet sent at the current time on the provider minus the packet timeout?

[mpoke]

What about sentVSCPackets and providerValidatorSetChangedInThisBlock?

[mpoke]

Some more comments.

[mpoke]

Why is it relevant to have an action that changes the power of a single validator. Wouldn't make more sense to have an action that changes the powers of a subset of the nodes? Like this, a change of powers for three validators can be done in one step instead of three.

[mpoke]

ditto: more efficient to receive an arbitrary number of packets

[mpoke]

Why is the all keyword needed here?

[mpoke]

ditto: arbitrary number of packets

[mpoke]

This construction looks weird. Isn't any other way to do an if-else within an action?

[mpoke]

outstandingPacketsToConsumer remains unchanged. Why calling RegisterNewOutstandingPackets?

[mpoke]

Why 1 to 10? What's the scale of time?

[mpoke]

Also, is there a limit for the difference in time between two chains?

[mpoke]

Why not use chains.mabBy()?

[mpoke]

Why is this a different function than AdvanceTime()?

[mpoke]

shouldAdvance is not clear.

[p-offtermatt]

Converting this to draft to make major changes after discussing with Marius - please hold on reviewing this for the new version!

Notes to myself:

• curTimes are unnecessary - timestamps should be per block, and time advancement happens just in endBlock. same for consumer status
• more realistic constant values
• Split functional and state machine parts

[p-offtermatt]

Just to keep it cleaner, I will close this PR and open a new one with the new model.
The model is rewritten from scratch anyways, so the old comments will not be very relevant.