|
1 | 1 | # Leios logbook |
2 | 2 |
|
| 3 | +## 2024-10-14 |
| 4 | + |
| 5 | +### Discussing Conformance testing approach |
| 6 | + |
| 7 | +We are trying to understand the link between formal ledger specification and cardano-ledger, as we want to find a better way to relate Agda spec w/ actual code building a conformance testing suite: |
| 8 | + |
| 9 | +* Formal specification lives in [formal-ledger-specifications](https://github.com/IntersectMBO/formal-ledger-specifications) repository |
| 10 | + * There is a branch there called `MAlonzo-code` which contains MAlonzo-based generated Haskell code from the spec |
| 11 | +* This branch is referred to in the [cabal.project](https://github.com/IntersectMBO/cardano-ledger/blob/master/cabal.project#L21) of cardano-ledger as a source-level dependency |
| 12 | +* The toplevle module in the generated code is name `Lib` |
| 13 | + * Perhaps a [more descriptive name](https://github.com/IntersectMBO/formal-ledger-specifications/issues/595) would be useful? |
| 14 | +* This module is imported and renamed as `Agda` in cardano-ledger repo, in the `cardano-ledger-conformance` library |
| 15 | + |
| 16 | +The link between the formal spec and the ledger impl is mediated by the [constrained-generators](https://github.com/IntersectMBO/cardano-ledger/tree/master/libs/constrained-generators) library which provides a DSL for expressing constraintss from which generators, shrinkers, and predicate can be derived: |
| 17 | + |
| 18 | +* Traces tests use `minitraceEither` is a generator for traces in the Small-step semantics of the ledger |
| 19 | +* the `ExecSpecRule` typeclass is defined for the various categories of transactions (eg. `POOL`, `RATIFY`, etc.) and provides methods for producing constrained spec expressions |
| 20 | +* the `runAgdaRule` methods does the linking between an environment, a state and a transition, "executing" the corresponding Agda rule |
| 21 | +* the `checkConformance` function ultimately calls the latter and does the comparison |
| 22 | + |
| 23 | +We can run the conformance tests in the ledger spec :tada: |
| 24 | + |
| 25 | +#### What approach for Leios? |
| 26 | + |
| 27 | +* We don't have an executable Agda spec for Leios, only a relational one (with holes). |
| 28 | +* We need to make the spec executable, but we know from experience with Peras that maintaining _both_ a relational spec and an executable spec is costly |
| 29 | + * to guarantee at least soundness we need to prove the executable spec implements correctly the relational one which is non trivial |
| 30 | +* Also, a larger question is how do we handle adversarial behaviour in the spec? |
| 31 | + * it's expected the specification uses dependent types to express the preconditions for a transition, so that only valid transitions can be expressed at the level of the specification |
| 32 | + * but we want the _implementaiton_ to also rule out those transitions and therefore we want to explicitly test failed preconditions |
| 33 | +* then the question is: how does the (executable) specification handles failed preconditions? does it crash? can we know in some ways it failed? |
| 34 | + * we need to figure how this is done in the ledger spec |
| 35 | +* In the case of Peras, we started out modelling an `Adversary` or dishonest node in the spec but this proved cumbersome and we needed to relax or remove that constraint to make progress |
| 36 | + * however, it seems we really want the executable spec to be _total_ in the sense that any sequence of transitions, valid or invalid, has a definite result |
| 37 | + |
| 38 | +* we have summarized short term plan [here](https://github.com/input-output-hk/ouroboros-leios/issues/42) |
| 39 | +* we also need to define a "longer" term plan, eg. 2 months horizon |
| 40 | + |
3 | 41 | ## 2024-10-10 |
4 | 42 |
|
5 | 43 | ### Approximate transaction sizes and frequencies |
|
0 commit comments