microsoft · achamayou · Oct 29, 2025 · Oct 17, 2025 · Oct 23, 2025 · Oct 23, 2025
@@ -15,10 +15,15 @@ CONSTANTS
     Nil = Nil
 
     Follower = L_Follower
+    PreVoteCandidate = L_PreVoteCandidate
     Candidate = L_Candidate
     Leader = L_Leader
     None = L_None
 
+    PreVoteDisabled = PV_PreVoteDisabled
+    PreVoteCapable = PV_PreVoteCapable
+    PreVoteEnabled = PV_PreVoteEnabled
+
     Active = R_Active
     RetirementOrdered = R_RetirementOrdered
     RetirementSigned = R_RetirementSigned

@@ -106,10 +106,13 @@ MCSend(msg) ==
         /\ n.type = AppendEntriesResponse
     /\ CCF!Send(msg)
 
+MCInitPreVoteStatus == PreVoteStatusTypeInv
+
 MCInit ==
     /\ InitMessagesVars
     /\ InitCandidateVars
     /\ InitLeaderVars
+    /\ MCInitPreVoteStatus
     /\ IF Cardinality(Configurations[1]) = 1
        \* If the first config is just one node, we can start with a two-tx log and a single config.
        THEN InitLogConfigServerVars(Configurations[1], StartLog)

@@ -6,10 +6,15 @@ CONSTANTS
     Nil = Nil
 
     Follower = L_Follower
+    PreVoteCandidate = L_PreVoteCandidate
     Candidate = L_Candidate
     Leader = L_Leader
     None = L_None
 
+    PreVoteDisabled = PV_PreVoteDisabled
+    PreVoteCapable = PV_PreVoteCapable
+    PreVoteEnabled = PV_PreVoteEnabled
+
     Active = R_Active
     RetirementOrdered = R_RetirementOrdered
     RetirementSigned = R_RetirementSigned
@@ -51,6 +56,8 @@ CONSTANTS
     Extend <- [abs]ABSExtend
     CopyMaxAndExtend <- [abs]ABSCopyMaxAndExtend
 
+    InitPreVoteStatus <- SIMInitPreVoteStatus
+
 _PERIODIC
     Periodically
 
@@ -71,6 +78,8 @@ PROPERTIES
     LeaderProp
     LogMatchingProp
 
+    VotesGrantedMonotonicProp
+
 \* ALIAS
 \*     \* DebugAlias
 \*     \* DebugActingServerAlias
@@ -115,4 +124,5 @@ INVARIANTS
     \* DebugInvAllMessagesProcessable
     \* DebugInvRetirementReachable
     \* DebugInvUpToDepth
-    \* DebugMoreUpToDateCorrectInv
+    \* DebugMoreUpToDateCorrectInv
+    \* DebugNonTrivialLeaderInv
@@ -16,6 +16,8 @@ SIMInitReconfigurationVars ==
     \* Start with any subset of servers in the active configuration.
     \/ CCF!InitReconfigurationVars
 
+SIMInitPreVoteStatus == PreVoteStatusTypeInv
+
 LOCAL R ==
     1..IF "R" \in DOMAIN IOEnv THEN atoi(IOEnv.R) ELSE 10
 
@@ -66,6 +68,7 @@ SIMFairness ==
     /\ \A s \in Servers : WF_vars(SignCommittableMessages(s))
     /\ \A s \in Servers : WF_vars(AdvanceCommitIndex(s))
     /\ \A s \in Servers : WF_vars(AppendRetiredCommitted(s))
+    /\ \A s \in Servers : WF_vars(PreVoteEnabled \in preVoteStatus /\ BecomeCandidate(s))
     /\ \A s \in Servers : WF_vars(BecomeLeader(s))
     \* The following fairness conditions reference the original CCF actions
     \* and, thus, do not include the RandomElement conjunct.

@@ -54,13 +54,20 @@ CONSTANTS
 
     InitReconfigurationVars <- TraceInitReconfigurationVars
 
+    InitPreVoteStatus <- TraceInitPreVoteStatus
+
     Nil = Nil
 
     Follower = L_Follower
+    PreVoteCandidate = L_PreVoteCandidate
     Candidate = L_Candidate
     Leader = L_Leader
     None = L_None
 
+    PreVoteDisabled = PV_PreVoteDisabled
+    PreVoteCapable = PV_PreVoteCapable
+    PreVoteEnabled = PV_PreVoteEnabled
+
     Active = R_Active
     RetirementOrdered = R_RetirementOrdered
     RetirementSigned = R_RetirementSigned

@@ -111,6 +111,8 @@ TraceAppendEntriesBatchsize(i, j) ==
 TraceInitReconfigurationVars ==
     /\ InitLogConfigServerVars({TraceLog[1].msg.state.node_id}, StartLog)
 
+TraceInitPreVoteStatus == PreVoteStatusTypeInv
+
 -------------------------------------------------------------------------------------
 
 VARIABLE l, ts
@@ -149,7 +151,7 @@ IsDropPendingTo ==
     /\ IsEvent("drop_pending_to")
     /\ Network!DropMessage(logline.msg.to_node_id,
                 LAMBDA msg: IsMessage(msg, logline.msg.to_node_id, logline.msg.from_node_id, logline))
-    /\ UNCHANGED <<reconfigurationVars, serverVars, candidateVars, leaderVars, logVars>>
+    /\ UNCHANGED <<preVoteStatus, reconfigurationVars, serverVars, candidateVars, leaderVars, logVars>>
 
 IsTimeout ==
     /\ IsEvent("become_candidate")
@@ -402,7 +404,7 @@ IsRcvProposeVoteRequest ==
             /\ m.type = ProposeVoteRequest
             /\ m.term = logline.msg.packet.term
             /\ Discard(m)
-            /\ UNCHANGED <<commitIndex, reconfigurationVars, currentTerm, isNewFollower, leadershipState, log, matchIndex, membershipState, sentIndex, votedFor, votesGranted>>
+            /\ UNCHANGED <<preVoteStatus, commitIndex, reconfigurationVars, currentTerm, isNewFollower, leadershipState, log, matchIndex, membershipState, sentIndex, votedFor, votesGranted>>
     /\ Range(logline.msg.state.committable_indices) \subseteq CommittableIndices(logline.msg.state.node_id)
     /\ commitIndex[logline.msg.state.node_id] = logline.msg.state.commit_idx
     /\ leadershipState[logline.msg.state.node_id] = ToLeadershipState[logline.msg.state.leadership_state]