Skip to content

PreVote enabled in TLA model checking #7404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
achamayou merged 19 commits into from
Oct 29, 2025
Merged

PreVote enabled in TLA model checking #7404

achamayou merged 19 commits into from
Oct 29, 2025

Conversation

@cjen1-msft
Copy link
Contributor

@cjen1-msft cjen1-msft commented Oct 23, 2025
edited
Loading

Put succinctly, pre-vote requires that a follower must prove that it could be elected before becoming a candidate.

This is implemented as a special follower state: PreVoteCandidate where the follower sends speculative requestVote messages.
These RequestVotes do not have any actual change on the receiving node, but notify the PreVoteCandidate that that node would have voted for it.

This is a minimal PR to start getting model checking of this.

The current PR has:

  • PreVote for simulation, by nondeterministically choosing the state of the preVoteEnabled variable during init to check both paths.
  • PreVote for model checking

@cjen1-msft cjen1-msft marked this pull request as ready for review October 27, 2025 12:41
@cjen1-msft cjen1-msft requested a review from a team as a code owner October 27, 2025 12:42
Copilot AI review requested due to automatic review settings October 27, 2025 12:42
Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements PreVote support in the TLA+ model checking specification for CCF Raft consensus. PreVote is a mechanism where followers must first prove they could be elected (via a speculative vote round) before becoming actual candidates, helping prevent disruptive election attempts.

Key changes:

  • Added PreVoteCandidate leadership state between Follower and Candidate
  • Introduced preVoteEnabled configuration variable to allow testing both with and without PreVote
  • Modified election logic to require majority pre-votes before transitioning to full candidacy

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tla/consensus/ccfraft.tla Core PreVote implementation: new state, configuration variable, updated transitions and message handlers
tla/consensus/Traceccfraft.tla Updated trace validation to include configVars in UNCHANGED clauses
tla/consensus/Traceccfraft.cfg Added PreVoteCandidate constant mapping
tla/consensus/SIMccfraft.tla Added simulation init to non-deterministically set preVoteEnabled
tla/consensus/SIMccfraft.cfg Configured simulation to use new init function
tla/consensus/MCccfraft.tla Added model checking init and debug invariant for PreVote
tla/consensus/MCccfraft.cfg Added PreVoteCandidate constant and debug invariant

@achamayou achamayou added the run-long-verification Run Long Verification jobs label Oct 28, 2025
achamayou
achamayou reviewed Oct 28, 2025
View reviewed changes
achamayou
achamayou reviewed Oct 28, 2025
View reviewed changes
achamayou
achamayou reviewed Oct 28, 2025
View reviewed changes
achamayou
achamayou reviewed Oct 28, 2025
View reviewed changes
@cjen1-msft cjen1-msft marked this pull request as draft October 28, 2025 14:19
@cjen1-msft cjen1-msft marked this pull request as ready for review October 29, 2025 10:39
@cjen1-msft
Copy link
Contributor Author

cjen1-msft commented Oct 29, 2025

This should be ready for review. I've cancelled the CI for now. Will rebase on main when the CI is quieter.

@achamayou achamayou merged commit 064aeb4 into microsoft:main Oct 29, 2025
28 of 29 checks passed
@achamayou achamayou deleted the pre-vote-tla branch October 29, 2025 23:58
@cjen1-msft cjen1-msft added 2.x-todo PRs which should be backported to 2.x 6.x-todo PRs which should be backported to 6.x and removed 2.x-todo PRs which should be backported to 2.x labels Nov 5, 2025
cjen1-msft added a commit to cjen1-msft/CCF that referenced this pull request Nov 5, 2025
@cjen1-msft @achamayou
PreVote enabled in TLA model checking (microsoft#7404)
b6f499c 
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
@cjen1-msft cjen1-msft mentioned this pull request Nov 5, 2025
Merged
cjen1-msft added a commit to cjen1-msft/CCF that referenced this pull request Nov 5, 2025
@cjen1-msft @achamayou
PreVote enabled in TLA model checking (microsoft#7404)
6a5625e 
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
achamayou pushed a commit that referenced this pull request Nov 17, 2025
@cjen1-msft
[release/6.x] Backport pre-vote capability (#7374, #7375, #7404, #7409,
5120ce9 
#7438, #7445, #7458) (#7436)
@eddyashton eddyashton added backported This PR was successfully backported to LTS branch and removed run-long-verification Run Long Verification jobs labels Dec 3, 2025
@eddyashton
Copy link
Member

eddyashton commented Dec 3, 2025

Adding backported label - this was backported in #7436.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@achamayou achamayou achamayou approved these changes

Assignees

No one assigned

Labels

6.x-todo PRs which should be backported to 6.x backported This PR was successfully backported to LTS branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cjen1-msft @eddyashton @achamayou