Since the Raft cluster size is set at runtime based on the passed parameters, strange errors can occur in vard if different cluster members use a different number of -node parameters. Even with cluster size set at compile time, this could be an issue if different deployments are compiled with different cluster size parameters.

One way to mitigate these kinds of errors is to let the shim perform some initial messaging before Raft communication starts, e.g., get confirmation that other nodes were configured with the same cluster size as the present node.

I'm trying to run the benchmarks against a single-node system:

$ ./vard.native -dbpath /tmp/vard-8000 -port 8000 -me 0 -node 0,127.0.0.1:9000 -debug
unordered shim running setup for VarD
unordered shim ready for action
client 115512982 connected on 127.0.0.1:49446
client 115512982 disconnected: client closed socket

The client logged above is the following invocation:

python2 bench/setup.py --service vard --keys 50 --cluster 127.0.0.1:8000
Traceback (most recent call last):
  File "bench/setup.py", line 34, in <module>
    main()
  File "bench/setup.py", line 27, in main
    host, port = Client.find_leader(args.cluster)
  File "/Users/tschottdorf/tla/verdi-raft/extraction/vard/bench/vard.py", line 27, in find_leader
    raise cls.NoLeader
vard.NoLeader

I haven't dug deeper but I did verify that I can run the benchmarks against a three-node cluster (everything running on the same machine). So, perhaps I'm silly or there is a problem with the edge case of a single-node system.

Hi,

I was going through the Raft spec and the following lines in the handleAppendEntriesResponse looked to me to be inverted

https://github.com/uwplse/verdi-raft/blob/master/raft/Raft.v#L244-L249

 Definition handleAppendEntriesReply (me : name) state src term entries (result : bool)
  : raft_data * list (name * msg) :=
....
....
    else if currentTerm state <? term then
      (* follower behind, ignore *)
      (state, [])
    else
      (* leader behind, convert to follower *)
      (advanceCurrentTerm state term, []).

It seems to me that if currentTerm state is less than the follower's term then the leader is behind and we should call advanceCurrentTerm to update its state. Similarly for the final case the follower is behind and we should leave state unchanged although calling advanceCurrentTerm on it would not make a difference.

From @pfons on April 13, 2016 0:29

A crash of the server when it executed the function that writes a snapshot to disk (updating the existing snapshot) can cause loss of data and prevent the server from recovering correctly afterworlds.

This bug is more serious than issue #50 because it can lead to loss of data. Loss of data can happen because the server, when it crashes while executing the function save, deletes/truncates the existing disk snapshot before it safely writes the new snapshot to disk.

This problem can be reproduced by simulating a crash immediately after the snapshot file is opened with O_TRUNC (save function in Shim.ml) and before the write is actually made, for example, by adding the statement assert(env.saves < 10000);.

It is probably harder to fix this bug than issue #50 because a correct implementation needs to ensure that several steps (i.e., replacing the old snapshot with the new snapshot and truncating the log) are atomic despite crashes.

Copied from original issue: uwplse/verdi#39

From @pfons on April 13, 2016 0:17

A crash during a write to the disk log (by M.to_channel in function save on file Shim.ml) can cause a partial entry to be appended to the log. When this happens the server that crashed is not able to recover and produces the following error when starting:
"Fatal error: exception Failure("input_value: truncated object")"

This problem can be simulated by stopping the server and subsequently trimming the last byte from the log. We expect partial writes during crashes to be more likely to occur when the log write cross disk block boundaries.

Copied from original issue: uwplse/verdi#38

To make all Verdi projects follow a predictable layout, VarDRaft.v should be moved to a systems directory at the root.

From @pfons on April 13, 2016 2:31

If the server is not able to read with one call the entire client request, which is sent over TCP, the server wrongly presumes that the client is disconnected and throws an exception (function read_from_socket in file Shim.ml).

The problem can be usually reproduced by simply sending the requests using two send calls on the client side.

Copied from original issue: uwplse/verdi#41

This is a more ambitious version of uwplse/verdi#123, where one uses VST to refine the Raft handlers to C code, which CompCert can compile to verified machine code. As a first step, the verified code could interact with the existing Verdi shim that Verdi Raft uses via OCaml's C interface. One could also implement a standalone shim in C by taking inspiration from the OCaml shim.

Using the verified log transformer, the current number of log entries is stored as a nat in a separate file (Count). Having a separate file can be avoided by letting the snapshot_interval be a fixed-size "machine" integer, e.g., of type int31, and storing the current number of log entries as such an integer at the head of the Log file. This would require having an operation that replaces the head of a file while leaving the rest intact. Note that overflow is impossible because one can prove that the count is always less than snapshot_interval.

From @pfons on April 13, 2016 2:37

The server-client communication protocol relies on spaces to delimit the arguments of requests and newlines to delimit the requests, which are sent over TCP connections. Because neither validation is made on the characters of the command arguments (keys and values) nor are the meta-characters escaped (newlines and spaces), by providing specially crafted input users of vard.py are able to: 1) crash the server; 2) inject commands that are executed by the servers and cause subsequent requests to return wrong results.

To reproduce the bug it suffices to create a client application that issues the following vard.py library calls:

1. Crash server:
   GET("key1 - - \n")

During the execution of the GET the leader crashes and before it terminates the leader produces the following error message:

client disconnected: received invalid input
Fatal error: exception Unix.Unix_error(Unix.EBADF, "send", "")

2. Inject commands:

PUT(key1,key1) = key1
PUT(key2,key2) = key2
PUT(key3,key3) = key3
GET(key1 - - \n132201621 216857 GET key2) = key1
GET(key1) = key2
GET(key2) = key1
GET(key3) = key2

Note that the last three GET operations produce an incorrect result.

Copied from original issue: uwplse/verdi#42

Due to the VarD code using Ascii internals and the positive type for the string map, VarDRaft also gets them. Using Ascii internals is a code smell.

From @pfons on April 13, 2016 2:29

During recovery, when opening the snapshot file, the server presumes that any error it encounters means that no snapshot was created (function get_initial_state in file Shim.ml). However, errors while opening a file can be caused by transient OS problems such as insufficient kernel memory (ENOMEM) or exceeding the system maximum number of files opened (ENFILE). If such an error occurs during recovery the server will silently discard part of the persistent state (disk snapshot) while still reading the rest of the persistent state (disk log), which will lead to safety problems.

The following sequence of steps should reproduce the bug:
a) issue client PUT requests so that snapshots and log entries are written to disk (~1000 requests)
b) stop all servers
c) remove all the permissions of the respective snapshot files (chmod 000 verdi-snapshot-900*).
d) restart all servers
e) issue one GET client request

In our tests, after this sequence of events the GET client request after recovery (step e) returns a result as if the key value store had not been populated (step a).

Apart from having replicas forget about all their state, it may be possible to create test cases where the replicas partially forget about their state given that, after recovery, replicas discard the snapshot but not the disk log.

Copied from original issue: uwplse/verdi#40

From @wilcoxjay on September 22, 2015 16:51

We should prove something like "If P is an invariant of the underlying state machine, then P is an invariant of every state machine in Raft". This should follow directly from StateMachineCorrectness.

Thanks to UPenn folks for reporting!

Copied from original issue: uwplse/verdi#23

I'm trying to build verdi-raft for a benchmark set I'm using, and I'm having some trouble.

My tool supports the released versions of Coq 8.10.0 - 8.12.2.

With Coq 8.10 and 8.11, I can install all the dependencies of verdi-raft through opam fine, but when I try to build verdi-raft itself, I get a failure of the lia tactic:

File "./raft/CommonTheorems.v", line 87, characters 11-15:
Error: Tactic failure:  Cannot find witness.

If I revert a few commits back, omega is used instead of lia, which I figured might work better on older coq versions, but then I get errors that omega was never imported.

If instead I try to build with Coq 8.12.2, I find that opam won't install the dependencies:

(base) [5] sanchezstern@swarm033> opam install coq-verdi
Sorry, no solution found: there seems to be a problem with your request.

No solution found, exiting

This surprised me because there are commits in verdi-raft that claim to support up to Coq 8.14. But the StructTact and Cheerios dependencies both seem to list coq constraints:

  "coq" {(>= "8.6.1" & < "8.12~") | (= "dev")`)

Which requires that the coq version be strictly less than 8.12, or be "dev". The opam file for StructTact on github appears to relax this constraint a bit, but the one indexed by opam in extra-dev still has the hard less than 12 constraint (as does the opam file for Cheerios in both places).

Basically, the gist of my question is, is there a recommended procedure for building verdi-raft now on non-dev coq?

The current implementation of vard and shim tries to read state from snapshot (and command log) on startup, and if that fails, loads the initial state silently. A better behavior is to signal when the snapshot and/or command log files are present, but cannot be used to build the initial state.

From @pfons on April 13, 2016 0:11

We found a bug that causes a buffer overflow on the leader when a lagging follower tries to recover. The stack overflow seems to occur within the recursive function “restore_from_log” (Shim.ml) when a very large packet is constructed and before the leader actually tries to send it.

This problem can be reproduced through the following process:
a) start 3 servers;
b) execute one client request;
c) stop a follower server;
d) execute many client requests (in our tests, at least 521,932 requests).
c) restart the server that was stopped

Here’s a sample output produced by the leader when it crashes:

   [Term 1] Sending 50 entries to 2 (currently have 521932 entries), commitIndex=521882_
   [Term 1] Sending 521881 entries to 3 (currently have 521932 entries), commitIndex=521882_
   [Term 1] Received AppendEntriesReply 50 entries true, commitIndex 521883
  Fatal error: exception Stack overflow

Copied from original issue: uwplse/verdi#37

Currently, both Raft request ids and client ids are hardcoded to nat. For some purposes, it would be more appropriate to use some other decidable type, e.g., string, for either of these ids. The most attractive solution is to parameterize the Raft transformer on any decidable types for request and client ids.

This is natural followup to uwplse/verdi#125: use the general Verdi interface to a verified file system to prove that Verdi Raft, when run using the file system, does not suffer from bugs due to corrupted logs.

Due to how the current shim uses file descriptors and the select system call to multiplex between inputs and network communication, clients can prevent node communication from happening by constantly sending requests. This is possible because timeouts only occur when no reads on file descriptors are pending.