Add update payload to chain traces (#649)

- Lower the coverage threshold for "at least 10% of the update proposals do not
  change the maximum transaction-size"
- Increase the trace length to 300 in the `onlyValidSignalsAreGenerated @CHAIN`
  propoerty
- Fix the update generator. It allowed to produce a maximum transaction size
  that was bigger than the current maximum block size.
- Guard the `newMaxBkSize - 1` against underflows
- Lower 10% the bounds for the "at least 10% of the proposals get enough
  endorsements" coverage check.
- Generate `CHAIN` delegation payload only in 30% of the cases.
- Tweak the coverage metrics to account for the fact that we do not want to
  decrease certain protocol parameter values to prevent the signal production
  (blocks, transactions, etc) from stopping.
- Set a memory limit for the tests in `cs-blockchain`
- Fix the abstract size test where the number of characters in the system tags
  were not being counted.
- Fix arithmetic underflow when checking validity of proposed script version.
- Factor out functions for generating update proposal and votes, and
  endorsements. See `updateProposalAndVotesGen` and
  `protocolVersionEndorsementGen`.
- Ignore `stack` lock file.
- Limit the line width to 80. 100 characters is not suitable for working with
    two vertical panes on a laptop, with a font size that is legible for people
    with less than optimal vision (like @dnadales :) ).

Author: dnadales

.editorconfig

@@ -7,8 +7,9 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-max_line_length = 100
+# See: https://github.com/input-output-hk/cardano-wallet/wiki/Coding-Standards
+max_line_length = 80
 
 [*.hs]
 indent_size = 2
-max_line_length = 100
+max_line_length = 80

.gitignore

@@ -31,6 +31,7 @@
 *~
 dist-newstyle/
 cabal.project.local
+stack.yaml.lock
 
 # Editors
 TAGS

byron/chain/executable-spec/cs-blockchain.cabal

@@ -76,5 +76,8 @@ test-suite chain-rules-test
                        -Wincomplete-record-updates
                        -Wincomplete-uni-patterns
                        -Wredundant-constraints
+                       -- See `cs-ledger.cabal` for an explanation of the
+                       -- options below.
+                       "-with-rtsopts=-K4m -M300m"
   if (!flag(development))
     ghc-options:       -Werror

byron/chain/executable-spec/src/Cardano/Spec/Chain/STS/Block.hs

@@ -1,22 +1,22 @@
-{-# LANGUAGE DeriveGeneric     #-}
-{-# LANGUAGE OverloadedLists   #-}
-{-# LANGUAGE TemplateHaskell   #-}
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE OverloadedLists #-}
+{-# LANGUAGE TemplateHaskell #-}
 
 module Cardano.Spec.Chain.STS.Block where
 
-import Control.Lens ((^.), makeLenses, view)
+import           Control.Lens (makeLenses, view, (^.))
+import           Control.State.Transition.Generator
+import           Data.AbstractSize
 import qualified Data.Hashable as H
-import Data.AbstractSize
 import qualified Data.Map.Strict as Map
-import Data.Sequence ((<|))
-import Data.Typeable (typeOf)
-import Numeric.Natural (Natural)
-import GHC.Generics (Generic)
-import Control.State.Transition.Generator
-import Ledger.Core (Hash(Hash), VKey, Slot, Sig)
-import Ledger.Delegation
-import Ledger.Update (STag, ProtVer, UProp, Vote)
-import Ledger.UTxO (TxWits, TxIn, TxOut, Wit)
+import           Data.Sequence ((<|))
+import           Data.Typeable (typeOf)
+import           GHC.Generics (Generic)
+import           Ledger.Core (Hash (Hash), Sig, Slot, VKey)
+import           Ledger.Delegation
+import           Ledger.Update (ProtVer, STag, UProp, Vote)
+import           Ledger.UTxO (TxIn, TxOut, TxWits, Wit)
+import           Numeric.Natural (Natural)
 
 data BlockHeader
   = MkBlockHeader
@@ -39,7 +39,7 @@ data BlockHeader
     -- TODO: BlockVersion – the protocol (block) version that created the block
 
     -- TODO: SoftwareVersion – the software version that created the block
-  } deriving (Generic, Show)
+  } deriving (Eq, Generic, Show)
 
 makeLenses ''BlockHeader
 

byron/chain/executable-spec/src/Cardano/Spec/Chain/STS/Rule/BHead.hs

@@ -6,6 +6,7 @@ module Cardano.Spec.Chain.STS.Rule.BHead where
 
 import           Control.Lens ((^.), _1)
 import           Data.Bimap (Bimap)
+import           Numeric.Natural
 
 import           Control.State.Transition
 import           Ledger.Core
@@ -31,7 +32,7 @@ instance STS BHEAD where
 
   data PredicateFailure BHEAD
     = HashesDontMatch -- TODO: Add fields so that users know the two hashes that don't match
-    | HeaderSizeTooBig -- TODO: Add more information here as well.
+    | HeaderSizeTooBig BlockHeader Natural (Threshold Natural)
     | SlotDidNotIncrease
     -- ^ The block header slot number did not increase w.r.t the last seen slot
     | SlotInTheFuture
@@ -47,7 +48,8 @@ instance STS BHEAD where
         TRC ((_, sLast, k), us, bh) <- judgmentContext
         us' <- trans @EPOCH $ TRC ((sEpoch sLast k, k), us, bh ^. bhSlot)
         let sMax = snd (us' ^. _1) ^. maxHdrSz
-        bHeaderSize bh <= sMax ?! HeaderSizeTooBig
+        bHeaderSize bh <= sMax
+          ?! HeaderSizeTooBig bh (bHeaderSize bh) (Threshold sMax)
         return $! us'
     ]
 

byron/chain/executable-spec/src/Cardano/Spec/Chain/STS/Rule/Chain.hs

@@ -18,6 +18,7 @@ import qualified Data.Map as Map
 import           Data.Sequence (Seq)
 import           Data.Set (Set)
 import qualified Data.Set as Set
+import           Data.Word (Word8)
 import           Hedgehog (Gen)
 import qualified Hedgehog.Gen as Gen
 import qualified Hedgehog.Range as Range
@@ -31,12 +32,13 @@ import           Ledger.Core
 import qualified Ledger.Core.Generators as CoreGen
 import           Ledger.Delegation
 import           Ledger.Update hiding (delegationMap)
+import qualified Ledger.Update as Update
 import           Ledger.UTxO (UTxO)
 
 import           Cardano.Spec.Chain.STS.Block
 import           Cardano.Spec.Chain.STS.Rule.BBody
 import           Cardano.Spec.Chain.STS.Rule.BHead
-import           Cardano.Spec.Chain.STS.Rule.Epoch (sEpoch)
+import           Cardano.Spec.Chain.STS.Rule.Epoch (EPOCH, sEpoch)
 import           Cardano.Spec.Chain.STS.Rule.Pbft
 import qualified Cardano.Spec.Chain.STS.Rule.SigCnt as SigCntGen
 
@@ -189,45 +191,110 @@ instance HasTrace CHAIN where
       -- current slot to a sufficiently large value.
       gCurrentSlot = Slot <$> Gen.integral (Range.constant 32768 2147483648)
 
-  sigGen _ = sigGenChain GenDelegation GenUTxO Nothing
+  sigGen _ = sigGenChain GenDelegation GenUTxO GenUpdate Nothing
 
 data ShouldGenDelegation = GenDelegation | NoGenDelegation
 
 data ShouldGenUTxO = GenUTxO | NoGenUTxO
 
+data ShouldGenUpdate = GenUpdate | NoGenUpdate
+
 sigGenChain
   :: ShouldGenDelegation
   -> ShouldGenUTxO
+  -> ShouldGenUpdate
   -> Maybe (PredicateFailure CHAIN)
   -> Environment CHAIN
   -> State CHAIN
   -> Gen (Signal CHAIN)
-sigGenChain shouldGenDelegation shouldGenUTxO _ (_sNow, utxo0, ads, pps, k) (Slot s, sgs, h, utxo, ds, _us)
+sigGenChain
+  shouldGenDelegation
+  shouldGenUTxO
+  shouldGenUpdate
+  _
+  (_sNow, utxo0, ads, _pps, k)
+  (Slot s, sgs, h, utxo, ds, us)
   = do
+    -- We'd expect the slot increment to be close to 1, even for large Gen's
+    -- size numbers.
+    nextSlot <- Slot . (s +) <$> Gen.integral (Range.exponential 1 10)
+
+    -- We need to generate delegation, update proposals, votes, and transactions
+    -- after a potential update in the protocol parameters (which is triggered
+    -- only at epoch boundaries). Otherwise the generators will use a state that
+    -- won't hold when the rules that correspond to these generators are
+    -- applied. For instance, the fees might change, which will render the
+    -- transaction as invalid.
+    --
+    let (us', _) = applySTSIndifferently @EPOCH $ TRC ( (sEpoch (Slot s) k, k)
+                                                      , us
+                                                      , nextSlot
+                                                      )
+
+        pps' = protocolParameters us'
+
+        upienv =
+          ( Slot s
+          , _dIStateDelegationMap ds
+          , k
+          , toNumberOfGenesisKeys $ Set.size ads
+          )
+
+        -- TODO: we might need to make the number of genesis keys a newtype, and
+        -- provide this function in the same module where this newtype is
+        -- defined.
+        toNumberOfGenesisKeys n
+          | fromIntegral (maxBound :: Word8) < n =
+              error $ "sigGenChain: too many genesis keys: " ++ show  n
+          | otherwise = fromIntegral n
+
+    aBlockVersion <-
+      Update.protocolVersionEndorsementGen upienv us'
+
     -- Here we do not want to shrink the issuer, since @Gen.element@ shrinks
     -- towards the first element of the list, which in this case won't provide
     -- us with better shrinks.
-    vkI         <- SigCntGen.issuer (pps, ds ^. dmsL, k) sgs
-    nextSlot    <- gNextSlot
-
-    delegationPayload <- case shouldGenDelegation of
-      GenDelegation   ->
-        let dsEnv = DSEnv
-                    { _dSEnvAllowedDelegators = ads
-                    , _dSEnvEpoch = sEpoch nextSlot k
-                    , _dSEnvSlot = nextSlot
-                    , _dSEnvK = k
-                    }
-        in
-        dcertsGen dsEnv ds
-      NoGenDelegation -> pure []
-
-    utxoPayload <- case shouldGenUTxO of
-      GenUTxO   -> sigGen @UTXOWS Nothing utxoEnv utxo
-      NoGenUTxO -> pure []
+    vkI <- SigCntGen.issuer (pps', ds ^. dmsL, k) sgs
+
+    delegationPayload <-
+      case shouldGenDelegation of
+        GenDelegation   ->
+          -- In practice there won't be a delegation payload in every block, so we
+          -- make this payload sparse.
+          --
+          -- NOTE: We arbitrarily chose to generate delegation payload in 30% of
+          -- the cases. We could make this configurable.
+          Gen.frequency
+            [ (7, pure [])
+            , (3,
+               let dsEnv =
+                    DSEnv
+                      { _dSEnvAllowedDelegators = ads
+                      , _dSEnvEpoch = sEpoch nextSlot k
+                      , _dSEnvSlot = nextSlot
+                      , _dSEnvK = k
+                      }
+               in dcertsGen dsEnv ds
+              )
+            ]
+        NoGenDelegation -> pure []
+
+    utxoPayload <-
+      case shouldGenUTxO of
+        GenUTxO   ->
+          let utxoEnv = UTxOEnv utxo0 pps' in
+            sigGen @UTXOWS Nothing utxoEnv utxo
+        NoGenUTxO -> pure []
+
+    (anOptionalUpdateProposal, aListOfVotes) <-
+      case shouldGenUpdate of
+        GenUpdate ->
+          Update.updateProposalAndVotesGen upienv us'
+        NoGenUpdate ->
+          pure (Nothing, [])
 
     let
-      dummySig       = Sig genesisHash (owner vkI)
+      dummySig = Sig genesisHash (owner vkI)
       unsignedHeader = MkBlockHeader
         h
         nextSlot
@@ -244,14 +311,8 @@ sigGenChain shouldGenDelegation shouldGenUTxO _ (_sNow, utxo0, ads, pps, k) (Slo
         BlockBody
           delegationPayload
           utxoPayload
-          Nothing -- Update proposal
-          []      -- Votes on update proposals
-          (ProtVer 0 0 0)
+          anOptionalUpdateProposal
+          aListOfVotes
+          aBlockVersion
 
     pure $ Block signedHeader bb
-   where
-     -- We'd expect the slot increment to be close to 1, even for large
-     -- Gen's size numbers.
-     gNextSlot = Slot . (s +) <$> Gen.integral (Range.exponential 1 10)
-
-     utxoEnv   = UTxOEnv {utxo0, pps}

byron/chain/executable-spec/test/Cardano/AbstractSize/Properties.hs

@@ -17,14 +17,14 @@ import           Data.Typeable (TypeRep, Typeable, typeOf)
 import           Data.Word (Word64)
 import           Numeric.Natural (Natural)
 
-import           Hedgehog (MonadTest, Property, forAll, property, withTests, (===))
+import           Hedgehog (MonadTest, Property, diff, forAll, property, withTests, (===))
 import           Test.Tasty.Hedgehog
 
 import           Control.State.Transition.Generator (trace)
 import           Control.State.Transition.Trace (TraceOrder (OldestFirst), traceSignals)
 import           Ledger.Core hiding ((<|))
 import           Ledger.Delegation (DCert)
-import           Ledger.Update (ProtVer (..), STag, UProp (..), Vote)
+import           Ledger.Update (ProtVer (..), UProp (..), Vote)
 import           Ledger.UTxO
 
 import           Cardano.Spec.Chain.STS.Block (Block (..), BlockBody (..), BlockHeader (..))
@@ -136,10 +136,13 @@ propMultipleOfSizesBlock b =
     abstractSize (mkCost @TxWits) b === length (_bUtxo body_)
     abstractSize (mkCost @Vote)   b === length (_bUpdVotes body_)
     abstractSize (mkCost @UProp)  b === length (maybeToList (_bUpdProp body_))
-    abstractSize (mkCost @STag)   b
-      === case _bUpdProp body_ of
-            Just uprop -> Set.size (_upSTags uprop)
-            Nothing -> 0
+    -- A STag is a string, so we need to make sure that all the characters are
+    -- accounted for in the size computation. We cannot use equality, since
+    -- characters might appear in other parts of the block.
+    diff
+      (maybe 0 (sum . fmap length . Set.toList . _upSTags) (_bUpdProp body_))
+      (<=)
+      (abstractSize (mkCost @Char) b)
 
     -- BlockHeader appears only once
     abstractSize (mkCost @BlockHeader) b === 1

byron/chain/executable-spec/test/Cardano/Spec/Chain/STS/Properties.hs

@@ -23,7 +23,9 @@ import           Ledger.Core (BlockCount (BlockCount))
 slotsIncrease :: Property
 slotsIncrease = property $ do
   let (maxTraceLength, step) = (1000, 100)
-  tr <- forAll $ traceSigGen (Maximum maxTraceLength) (sigGenChain NoGenDelegation NoGenUTxO)
+  tr <- forAll $ traceSigGen
+                   (Maximum maxTraceLength)
+                   (sigGenChain NoGenDelegation NoGenUTxO NoGenUpdate)
   classifyTraceLength tr maxTraceLength step
   slotsIncreaseInTrace tr
 
@@ -36,7 +38,9 @@ blockIssuersAreDelegates :: Property
 blockIssuersAreDelegates =
   withTests 200 $ property $ do
     let (maxTraceLength, step) = (1000, 100)
-    tr <- forAll $ traceSigGen (Maximum maxTraceLength) (sigGenChain GenDelegation NoGenUTxO)
+    tr <- forAll $ traceSigGen
+                     (Maximum maxTraceLength)
+                     (sigGenChain GenDelegation NoGenUTxO GenUpdate)
     classifyTraceLength tr maxTraceLength step
     checkBlockIssuersAreDelegates tr
   where
@@ -55,12 +59,14 @@ blockIssuersAreDelegates =
 
 onlyValidSignalsAreGenerated :: Property
 onlyValidSignalsAreGenerated =
-  withTests 300 $ TransitionGenerator.onlyValidSignalsAreGenerated @CHAIN 100
+  withTests 200 $ TransitionGenerator.onlyValidSignalsAreGenerated @CHAIN 300
 
 signersListIsBoundedByK :: Property
 signersListIsBoundedByK = property $ do
   let maxTraceLength = 1000
-  tr <- forAll $ traceSigGen (Maximum maxTraceLength) (sigGenChain GenDelegation NoGenUTxO)
+  tr <- forAll $ traceSigGen
+                   (Maximum maxTraceLength)
+                   (sigGenChain GenDelegation NoGenUTxO GenUpdate)
   signersListIsBoundedByKInTrace tr
   where
     signersListIsBoundedByKInTrace :: MonadTest m => Trace CHAIN -> m ()

byron/ledger/executable-spec/cs-ledger.cabal

@@ -114,7 +114,7 @@ test-suite ledger-rules-test
                -- We set a bound here so that we're alerted of potential space
                -- leaks in our generators (or test) code.
                --
-               -- The 4 megabytes stack bound and 50 megabytes heap bound were
+               -- The 4 megabytes stack bound and 150 megabytes heap bound were
                -- determined ad-hoc.
                "-with-rtsopts=-K4m -M150m"
   if (!flag(development))

byron/ledger/executable-spec/src/Ledger/Update.hs

@@ -33,7 +33,7 @@ import           Data.Ix (inRange)
 import           Data.List (notElem, sortOn)
 import           Data.Map.Strict (Map)
 import qualified Data.Map.Strict as Map
-import           Data.Maybe (fromMaybe)
+import           Data.Maybe (catMaybes, fromMaybe)
 import           Data.Ord (Down (Down))
 import           Data.Set (Set, union, (\\))
 import qualified Data.Set as Set
@@ -49,13 +49,13 @@ import           Control.State.Transition
 import           Control.State.Transition.Generator (HasTrace, envGen, sigGen)
 import           Data.AbstractSize (HasTypeReps)
 
-import           Ledger.Core (BlockCount (..), HasHash, Owner (Owner), Relation (..),
+import           Ledger.Core (BlockCount (..), HasHash, Owner (Owner), Relation (..), Slot,
                      SlotCount (..), VKey (VKey), VKeyGenesis (VKeyGenesis), dom, hash,
                      minusSlotMaybe, skey, (*.), (-.), (∈), (∉), (⋪), (▷), (▷<=), (▷>=), (◁), (⨃))
 import qualified Ledger.Core as Core
 import qualified Ledger.Core.Generators as CoreGen
 
-import           Prelude hiding (min)
+import           Prelude
 
 
 -- | Protocol parameters.
@@ -225,27 +225,57 @@ invertBijection
 a ==> b = not a || b
 infix 1 ==>
 
+-- | Check whether a protocol version can follow the current protocol version.
 pvCanFollow
   :: ProtVer
+  -- ^ Next protocol version
   -> ProtVer
+  -- ^ Previous protocol version
   -> Bool
-pvCanFollow (ProtVer mjn min an) (ProtVer mjp mip ap)
-  = (mjp, mip, ap) < (mjn, min, an)
+pvCanFollow (ProtVer mjn mn an) (ProtVer mjp mip ap)
+  = (mjp, mip, ap) < (mjn, mn, an)
   && (inRange (0,1) (mjn - mjp))
-  && ((mjp == mjn) ==> (mip +1 == min))
-  && ((mjp +1 == mjn) ==> (min == 0))
+  && ((mjp == mjn) ==> (mip + 1 == mn))
+  && ((mjp + 1 == mjn) ==> (mn == 0))
 
 -- | Check whether an update proposal marks a valid update
 --
---   TODO At the moment we don't check size in here - should we?
-canUpdate
+checkUpdateConstraints
   :: PParams
   -> UProp
-  -> Bool
-canUpdate pps prop =
-  (prop ^. upParams . maxBkSz <= 2 * pps ^. maxBkSz)
-  && (prop ^. upParams . maxBkSz > prop ^. upParams . maxTxSz)
-  && (inRange (0,1) $ prop ^. upParams . scriptVersion - pps ^. scriptVersion)
+  -> [UpdateConstraintViolation]
+checkUpdateConstraints pps prop =
+  catMaybes
+    [ (prop ^. upParams . maxBkSz <=? 2 * pps ^. maxBkSz)
+        `orError` BlockSizeTooLarge
+    , (prop ^. upParams . maxTxSz + 1 <=? prop ^. upParams . maxBkSz)
+        `orError` TransactionSizeTooLarge
+    , (pps ^. scriptVersion <=? prop ^. upParams . scriptVersion)
+        `orError` ScriptVersionTooSmall
+    , (prop ^. upParams . scriptVersion <=? pps ^. scriptVersion + 1)
+        `orError` ScriptVersionTooLarge
+    ]
+
+(<=?) :: Ord a => a -> a -> Maybe (a, Threshold a)
+x <=? y = if x <= y then Nothing else Just (x, Threshold y)
+
+infix 4 <=?
+
+orError :: Maybe (a, b) -> (a -> b -> e) -> Maybe e
+orError mab ferr = uncurry ferr <$> mab
+
+canUpdate :: PParams -> UProp -> Rule UPPVV ctx ()
+canUpdate pps prop = violations == [] ?! CannotUpdatePv violations
+  where violations = checkUpdateConstraints pps prop
+
+-- | Violations on the constraints of the allowed values for new protocol
+-- parameters.
+data UpdateConstraintViolation
+  = BlockSizeTooLarge Natural (Threshold Natural)
+  | TransactionSizeTooLarge Natural (Threshold Natural)
+  | ScriptVersionTooLarge Natural (Threshold Natural)
+  | ScriptVersionTooSmall Natural (Threshold Natural)
+  deriving (Eq, Ord, Show)
 
 svCanFollow
   :: Map ApName (ApVer, Core.Slot, Metadata)
@@ -303,7 +333,7 @@ instance STS UPPVV where
 
   data PredicateFailure UPPVV
     = CannotFollowPv
-    | CannotUpdatePv
+    | CannotUpdatePv [UpdateConstraintViolation]
     | AlreadyProposedPv
     | InvalidSystemTags
     deriving (Eq, Show)
@@ -316,7 +346,7 @@ instance STS UPPVV where
             nv = up ^. upPV
             ppsn = up ^. upParams
         pvCanFollow nv pv ?! CannotFollowPv
-        canUpdate pps up ?! CannotUpdatePv
+        canUpdate pps up
         nv `notElem` (fst <$> Map.elems rpus) ?! AlreadyProposedPv
         all sTagValid (up ^. upSTags) ?! InvalidSystemTags
         return $! rpus ⨃ [(pid, (nv, ppsn))]
@@ -345,7 +375,7 @@ instance STS UPV where
   data PredicateFailure UPV
     = UPPVVFailure (PredicateFailure UPPVV)
     | UPSVVFailure (PredicateFailure UPSVV)
-    | AVChangedInPVUpdate ApName ApVer
+    | AVChangedInPVUpdate ApName ApVer (Maybe (ApVer, Slot, Metadata))
     | ParamsChangedInSVUpdate
     | PVChangedInSVUpdate
     deriving (Eq, Show)
@@ -359,7 +389,7 @@ instance STS UPV where
             ) <- judgmentContext
         rpus' <- trans @UPPVV $ TRC ((pv, pps), rpus, up)
         let SwVer an av = up ^. upSwVer
-        inMap an av (swVer <$> avs) ?! AVChangedInPVUpdate an av
+        inMap an av (swVer <$> avs) ?! AVChangedInPVUpdate an av (Map.lookup an avs)
         pure $! (rpus', raus)
     , do
         TRC ( (pv, pps, avs)
@@ -717,8 +747,8 @@ emptyUPIState =
 initialPParams :: PParams
 initialPParams =
   PParams                 -- TODO: choose more sensible default values
-     { _maxBkSz = 1000        -- max sizes chosen as non-zero to allow progress
-     , _maxHdrSz = 100
+     { _maxBkSz = 10000       -- max sizes chosen as non-zero to allow progress
+     , _maxHdrSz = 1000
      , _maxTxSz = 500
      , _maxPropSz = 10
      , _bkSgnCntT = 0.22     -- As defined in the spec.
@@ -904,19 +934,19 @@ instance HasTrace UPIREG where
           -- is not part of the registered protocol-update proposals
           -- (@rpus@).
           nextAltVersion :: (Natural, Natural) -> ProtVer
-          nextAltVersion (maj, min) = dom (range rpus)
+          nextAltVersion (maj, mn) = dom (range rpus)
                                     & Set.filter protocolVersionEqualsMajMin
                                     & Set.map _pvAlt
                                     & Set.toDescList
                                     & nextVersion
             where
               protocolVersionEqualsMajMin :: ProtVer -> Bool
               protocolVersionEqualsMajMin pv' =
-                _pvMaj pv' == maj && _pvMin pv' == min
+                _pvMaj pv' == maj && _pvMin pv' == mn
 
               nextVersion :: [Natural] -> ProtVer
-              nextVersion [] = ProtVer maj min 0
-              nextVersion (x:_) = ProtVer maj min (1 + x)
+              nextVersion [] = ProtVer maj mn 0
+              nextVersion (x:_) = ProtVer maj mn (1 + x)
 
       -- Generate a software version update.
       swVerGen :: Gen SwVer
@@ -1017,20 +1047,32 @@ dmapGen ngk = Bimap.fromList . uncurry zip <$> vkgVkPairsGen
 -- own modules.
 ppsUpdateFrom :: PParams -> Gen PParams
 ppsUpdateFrom pps = do
+  -- NOTE: we only generate small changes in the parameters to avoid leaving the
+  -- protocol parameters in a state that won't allow to produce any valid blocks
+  -- anymore (for instance if the maximum block size drops to a very small
+  -- value).
+
   -- Determine the change in the block size: a decrement or an increment that
   -- is no more than twice the current block maximum size.
   --
   -- We don't expect the maximum block size to change often, so we generate
   -- more values around the current block size (@_maxBkSz@).
-  newMaxBkSize <- Gen.integral (Range.linearFrom _maxBkSz 1 (2 * _maxBkSz))
-                  `increasingProbabilityAt`
-                  (1, 2 * _maxBkSz)
+  newMaxBkSize <-
+    Gen.integral (Range.linearFrom
+                    _maxBkSz
+                    (_maxBkSz -? 100) -- Decrement value was determined ad-hoc
+                    (2 * _maxBkSz)
+                 )
+    `increasingProbabilityAt` (_maxBkSz -? 100, 2 * _maxBkSz)
 
   -- Similarly, we don't expect the transaction size to be changed often, so we
   -- also generate more values around the current maximum transaction size.
-  newMaxTxSize <- Gen.integral (Range.exponentialFrom _maxTxSz 0 (newMaxBkSize - 1))
-                  `increasingProbabilityAt`
-                  (0, newMaxBkSize - 1)
+  let minTxSzBound = _maxTxSz `min` newMaxBkSize -? 1
+  newMaxTxSize <-
+    Gen.integral (Range.exponential
+                    (minTxSzBound -? 10) -- Decrement value determined ad-hoc
+                    (newMaxBkSize -? 1)
+                 )
 
   PParams
     <$> pure newMaxBkSize
@@ -1063,18 +1105,27 @@ ppsUpdateFrom pps = do
 
     nextMaxHdrSzGen :: Gen Natural
     nextMaxHdrSzGen =
-      Gen.integral (Range.exponentialFrom _maxHdrSz 0 (2 * _maxHdrSz))
-      `increasingProbabilityAt` (0, 2 * _maxHdrSz)
+      Gen.integral (Range.exponentialFrom
+                      _maxHdrSz
+                      (_maxHdrSz -? 10)
+                      (2 * _maxHdrSz)
+                   )
 
     nextMaxPropSz :: Gen Natural
     nextMaxPropSz =
-      Gen.integral (Range.exponentialFrom _maxPropSz 0 (2 * _maxPropSz))
-      `increasingProbabilityAt` (0, 2 * _maxPropSz)
+      Gen.integral (Range.exponentialFrom
+                      _maxPropSz
+                      (_maxPropSz -? 1)
+                      (2 * _maxPropSz)
+                   )
 
     nextBkSgnCntT :: Gen Double
     nextBkSgnCntT =
-      Gen.double (Range.exponentialFloatFrom _bkSgnCntT 0 1)
-      `increasingProbabilityAt` (0, 1)
+      Gen.double (Range.exponentialFloatFrom
+                    _bkSgnCntT
+                    (_bkSgnCntT - 0.01)
+                    (_bkSgnCntT + 0.01)
+                 )
 
     nextUpTtl :: Gen SlotCount
     nextUpTtl = SlotCount <$>
@@ -1113,6 +1164,9 @@ ppsUpdateFrom pps = do
       Gen.integral (Range.exponentialFrom _factorB 0 10)
       `increasingProbabilityAt` (0, 10)
 
+    (-?) :: Natural -> Natural -> Natural
+    n -? m = if n < m then 0 else n - m
+
 -- | Generate values the given distribution in 90% of the cases, and values at
 -- the bounds of the range in 10% of the cases.
 --
@@ -1349,13 +1403,15 @@ instance STS UPIEND where
 instance Embed UPEND UPIEND where
   wrapFailed = UPENDFailure
 
--- | Generate a protocol version endorsement for a given key, or 'Nothing' if no stable and
--- confirmed protocol version update can be found.
-protocolVersionEndorsementGen
+-- | Given a list of protocol versions and keys endorsing those versions,
+-- generate a protocol-version endorsement, or 'Nothing' if the list of
+-- endorsements is empty. The version to be endorsed will be selected from those
+-- versions that have the most endorsements.
+pickHighlyEndorsedProtocolVersion
   :: [(ProtVer, Set Core.VKeyGenesis)]
   -- ^ Current set of endorsements
   -> Gen (Maybe ProtVer)
-protocolVersionEndorsementGen endorsementsList =
+pickHighlyEndorsedProtocolVersion endorsementsList =
   if null mostEndorsedProposals
   then pure Nothing
   else Just <$> Gen.element mostEndorsedProposals
@@ -1444,3 +1500,75 @@ instance STS UPIEC where
 
 instance Embed PVBUMP UPIEC where
   wrapFailed = PVBUMPFailure
+
+-- | Generate an optional update-proposal and a list of votes, given an update
+-- environment and state.
+--
+-- The update proposal and votes need to be generated at the same time, since
+-- this allow us to generate update votes for update proposals issued in the
+-- same block as the votes.
+updateProposalAndVotesGen
+  :: UPIEnv
+  -> UPIState
+  -> Gen (Maybe UProp, [Vote])
+updateProposalAndVotesGen upienv upistate = do
+  let rpus = registeredProtocolUpdateProposals upistate
+  if Set.null (dom rpus)
+    then generateUpdateProposalAndVotes
+    else Gen.frequency [ (5, generateOnlyVotes)
+                       , (1, generateUpdateProposalAndVotes)
+                       ]
+  where
+    generateOnlyVotes = (Nothing,) <$> sigGen @UPIVOTES Nothing upienv upistate
+    generateUpdateProposalAndVotes = do
+      updateProposal <- sigGen @UPIREG Nothing upienv upistate
+      -- We want to have the possibility of generating votes for the proposal we
+      -- registered.
+      case applySTS @UPIREG (TRC (upienv, upistate, updateProposal)) of
+        Left _ ->
+          (Just updateProposal, )
+            <$> sigGen @UPIVOTES Nothing upienv upistate
+        Right upistateAfterRegistration ->
+          (Just updateProposal, )
+            <$> sigGen @UPIVOTES Nothing upienv upistateAfterRegistration
+
+
+-- | Generate an endorsement given an update environment and state.
+protocolVersionEndorsementGen
+  :: UPIEnv
+  -> UPIState
+  -> Gen ProtVer
+protocolVersionEndorsementGen upienv upistate =
+  fromMaybe (protocolVersion upistate)
+    <$> pickHighlyEndorsedProtocolVersion endorsementsList
+  where
+    -- Generate a list of protocol version endorsements. For this we look at the
+    -- current endorsements, and confirmed and stable proposals.
+    --
+    -- If there are no endorsements, then the confirmed and stable proposals
+    -- provide fresh protocol versions that can be endorsed.
+    endorsementsList :: [(ProtVer, Set Core.VKeyGenesis)]
+    endorsementsList = endorsementsMap `Map.union` emptyEndorsements
+                     & Map.toList
+      where
+        emptyEndorsements :: Map ProtVer (Set Core.VKeyGenesis)
+        emptyEndorsements = zip stableAndConfirmedVersions (repeat Set.empty)
+                          & Map.fromList
+          where
+            stableAndConfirmedVersions
+              :: [ProtVer]
+            stableAndConfirmedVersions = stableAndConfirmedProposalIDs ◁ rpus
+                                       & Map.elems
+                                       & fmap fst
+              where
+                stableAndConfirmedProposalIDs =
+                  dom (confirmedProposals upistate ▷<= sn  -. 2 *. k)
+                  where
+                    (sn, _, k, _) = upienv
+
+                rpus = registeredProtocolUpdateProposals upistate
+
+        endorsementsMap :: Map ProtVer (Set Core.VKeyGenesis)
+        endorsementsMap = Set.toList (endorsements upistate)
+                        & fmap (second Set.singleton)
+                        & Map.fromListWith Set.union

byron/ledger/executable-spec/test/Ledger/Update/Properties.hs

@@ -18,15 +18,11 @@ module Ledger.Update.Properties
 
 import           GHC.Stack (HasCallStack)
 
-import           Control.Arrow (second)
 import qualified Data.Bimap as Bimap
 import           Data.Foldable (fold, traverse_)
 import           Data.Function ((&))
 import           Data.List.Unique (count)
-import           Data.Map.Strict (Map)
-import qualified Data.Map.Strict as Map
-import           Data.Maybe (catMaybes, fromMaybe, isNothing)
-import           Data.Set (Set)
+import           Data.Maybe (catMaybes, isNothing)
 import qualified Data.Set as Set
 import           Data.Word (Word64)
 import           Hedgehog (Property, cover, forAll, property, withTests)
@@ -35,7 +31,7 @@ import qualified Hedgehog.Range as Range
 import           Numeric.Natural (Natural)
 
 import           Control.State.Transition (Embed, Environment, IRC (IRC), PredicateFailure, STS,
-                     Signal, State, TRC (TRC), applySTS, initialRules, judgmentContext, trans,
+                     Signal, State, TRC (TRC), initialRules, judgmentContext, trans,
                      transitionRules, wrapFailed, (?!))
 import           Control.State.Transition.Generator (HasTrace, envGen, randomTraceOfSize, ratio,
                      sigGen, trace, traceLengthsAreClassified, traceOfLength)
@@ -44,7 +40,7 @@ import           Control.State.Transition.Trace (Trace, TraceOrder (OldestFirst)
                      traceSignals, traceStates, _traceEnv, _traceInitState)
 
 import           Ledger.Core (BlockCount (BlockCount), Slot (Slot), SlotCount (SlotCount), dom,
-                     unBlockCount, (*.), (-.), (▷<=), (◁))
+                     unBlockCount)
 import qualified Ledger.Core as Core
 import           Ledger.GlobalParams (slotsPerEpoch)
 import           Ledger.Update (PParams, ProtVer, UPIEND, UPIEnv, UPIREG, UPIState, UPIVOTES, UProp,
@@ -92,9 +88,11 @@ upiregRelevantTracesAreCovered = withTests 300 $ property $ do
   --------------------------------------------------------------------------------
   -- Maximum block-size checks
   --------------------------------------------------------------------------------
-  cover 50
-    "at least 30% of the update proposals decrease the maximum block-size"
-    (0.3 <= ratio (wrtCurrentProtocolParameters Update._maxBkSz Decreases) sample)
+  -- NOTE: since we want to generate valid signals, we cannot decrease the block
+  -- size in most of the cases.
+  cover 20
+    "at least 5% of the update proposals decrease the maximum block-size"
+    (0.05 <= ratio (wrtCurrentProtocolParameters Update._maxBkSz Decreases) sample)
 
   cover 50
     "at least 30% of the update proposals increase the maximum block-size"
@@ -104,18 +102,12 @@ upiregRelevantTracesAreCovered = withTests 300 $ property $ do
     "at least 10% of the update proposals do not change the maximum block-size"
     (0.1 <= ratio (wrtCurrentProtocolParameters Update._maxBkSz RemainsTheSame) sample)
 
-  -- TODO: in the future we should change 1 to the minimum allowed protocol
-  -- value. But first we need to determine what that value is.
-  cover 20
-    "at least 5% of the update proposals set the maximum block-size to 1"
-    (0.05 <= ratio (Update._maxBkSz `isSetTo` 1) sample)
-
   --------------------------------------------------------------------------------
   -- Maximum header-size checks
   --------------------------------------------------------------------------------
-  cover 50
-    "at least 30% of the update proposals decrease the maximum header-size"
-    (0.3 <= ratio (wrtCurrentProtocolParameters Update._maxHdrSz Decreases) sample)
+  cover 20
+    "at least 5% of the update proposals decrease the maximum header-size"
+    (0.05 <= ratio (wrtCurrentProtocolParameters Update._maxHdrSz Decreases) sample)
 
   cover 50
     "at least 30% of the update proposals increase the maximum header-size"
@@ -125,35 +117,27 @@ upiregRelevantTracesAreCovered = withTests 300 $ property $ do
     "at least 10% of the update proposals do not change the maximum header-size"
     (0.1 <= ratio (wrtCurrentProtocolParameters Update._maxHdrSz RemainsTheSame) sample)
 
-  cover 20
-    "at least 5% of the update proposals set the maximum header-size to 0"
-    (0.05 <= ratio (Update._maxHdrSz `isSetTo` 0) sample)
-
   --------------------------------------------------------------------------------
   -- Maximum transaction-size checks
   --------------------------------------------------------------------------------
-  cover 50
-    "at least 30% of the update proposals decrease the maximum transaction-size"
-    (0.3 <= ratio (wrtCurrentProtocolParameters Update._maxTxSz Decreases) sample)
+  cover 20
+    "at least 5% of the update proposals decrease the maximum transaction-size"
+    (0.05 <= ratio (wrtCurrentProtocolParameters Update._maxTxSz Decreases) sample)
 
   cover 50
     "at least 30% of the update proposals increase the maximum transaction-size"
     (0.3 <= ratio (wrtCurrentProtocolParameters Update._maxTxSz Increases) sample)
 
-  cover 50
+  cover 40
     "at least 10% of the update proposals do not change the maximum transaction-size"
     (0.1 <= ratio (wrtCurrentProtocolParameters Update._maxTxSz RemainsTheSame) sample)
 
-  cover 20
-    "at least 5% of the update proposals set the maximum transaction-size to 0"
-    (0.05 <= ratio (Update._maxTxSz `isSetTo` 0) sample)
-
   --------------------------------------------------------------------------------
   -- Maximum proposal-size checks
   --------------------------------------------------------------------------------
-  cover 50
+  cover 20
     "at least 30% of the update proposals decrease the maximum proposal-size"
-    (0.3 <= ratio (wrtCurrentProtocolParameters Update._maxPropSz Decreases) sample)
+    (0.05 <= ratio (wrtCurrentProtocolParameters Update._maxPropSz Decreases) sample)
 
   cover 50
     "at least 30% of the update proposals increase the maximum proposal-size"
@@ -163,10 +147,6 @@ upiregRelevantTracesAreCovered = withTests 300 $ property $ do
     "at least 10% of the update proposals do not change the maximum proposal-size"
     (0.1 <= ratio (wrtCurrentProtocolParameters Update._maxPropSz RemainsTheSame) sample)
 
-  cover 20
-    "at least 5% of the update proposals set the maximum proposal-size to 0"
-    (0.05 <= ratio (Update._maxPropSz `isSetTo` 0) sample)
-
   -- NOTE: after empirically determining the checks above are sensible, we can
   -- add more coverage tests for the other protocol parameters.
 
@@ -222,18 +202,28 @@ upiregRelevantTracesAreCovered = withTests 300 $ property $ do
         check Decreases proposedParameterValue       = proposedParameterValue < currentParameterValue
         check RemainsTheSame proposedParameterValue  = currentParameterValue == proposedParameterValue
 
+    -- TODO: leaving this here as it might be useful in the future. Remove if it
+    -- isn't (dnadales - 07/17/2019). We use git, but nobody will see if it sits
+    -- in our history.
+    --
     -- Count the number of times in the sequence of update proposals that the
     -- given protocol value is set to the given value.
-    isSetTo
-      :: Eq v
-      => (PParams -> v)
-      -> v
-      -> Trace UPIREG
-      -> Int
-    isSetTo parameterValue value traceSample
-      = fmap (parameterValue . Update._upParams) (traceSignals OldestFirst traceSample)
-      & filter (value ==)
-      & length
+    --
+    -- Example usage:
+    --
+    -- > cover 20
+    -- >    "at least 5% of the update proposals set the maximum proposal-size to 0"
+    -- > (0.05 <= ratio (Update._maxPropSz `isSetTo` 0) sample)
+    -- isSetTo
+    --   :: Eq v
+    --   => (PParams -> v)
+    --   -> v
+    --   -> Trace UPIREG
+    --   -> Int
+    -- isSetTo parameterValue value traceSample
+    --   = fmap (parameterValue . Update._upParams) (traceSignals OldestFirst traceSample)
+    --   & filter (value ==)
+    --   & length
 
     expectedNumberOfUpdateProposalsPerKey :: Trace UPIREG -> Double
     expectedNumberOfUpdateProposalsPerKey traceSample =
@@ -364,58 +354,24 @@ instance HasTrace UBLOCK where
     do
       let numberOfGenesisKeys = 7
       dms <- Update.dmapGen numberOfGenesisKeys
-      -- We don't want a large value of @k@, otherwise we won't see many confirmed proposals or
-      -- epoch changes. The problem here is that the initial environment does not know anything
-      -- about the trace size, and @k@ should be a function of it.
+      -- We don't want a large value of @k@, otherwise we won't see many
+      -- confirmed proposals or epoch changes. The problem here is that the
+      -- initial environment does not know anything about the trace size, and
+      -- @k@ should be a function of it.
       pure (Slot 0, dms, BlockCount 10, numberOfGenesisKeys)
 
   sigGen _ _env UBlockState {upienv, upistate} = do
-    let rpus = Update.registeredProtocolUpdateProposals upistate
     (anOptionalUpdateProposal, aListOfVotes) <-
-      -- We want to generate update proposals when there is none registered. Otherwise we won't get
-      -- any proposals or votes.
-      if Set.null (dom rpus)
-      then generateUpdateProposalAndVotes
-      else Gen.frequency [ (5, generateOnlyVotes)
-                         , (1, generateUpdateProposalAndVotes)
-                         ]
-    -- Don't shrink the issuer as this won't give us additional insight on a test failure.
+      Update.updateProposalAndVotesGen upienv upistate
+
+    -- Don't shrink the issuer as this won't give us additional insight on a
+    -- test failure.
     aBlockIssuer <- Gen.prune $
       -- Pick a delegate from the delegation map
       Gen.element $ Bimap.elems (Update.delegationMap upienv)
 
-    let
-      -- Generate a list of protocol version endorsements. For this we look at the current
-      -- endorsements, and confirmed and stable proposals.
-      --
-      -- If there are no endorsements, then the confirmed and stable proposals provide fresh
-      -- protocol versions that can be endorsed.
-      endorsementsList :: [(ProtVer, Set Core.VKeyGenesis)]
-      endorsementsList = endorsementsMap `Map.union` emptyEndorsements
-                       & Map.toList
-        where
-          emptyEndorsements :: Map ProtVer (Set Core.VKeyGenesis)
-          emptyEndorsements = zip stableAndConfirmedVersions (repeat Set.empty)
-                            & Map.fromList
-            where
-              stableAndConfirmedVersions
-                :: [ProtVer]
-              stableAndConfirmedVersions = stableAndConfirmedProposalIDs ◁ rpus
-                                         & Map.elems
-                                         & fmap fst
-                where
-                  stableAndConfirmedProposalIDs =
-                    dom (Update.confirmedProposals upistate ▷<= sn  -. 2 *. k)
-                    where
-                      (sn, _, k, _) = upienv
-
-          endorsementsMap :: Map ProtVer (Set Core.VKeyGenesis)
-          endorsementsMap = Set.toList (Update.endorsements upistate)
-                          & fmap (second Set.singleton)
-                          & Map.fromListWith Set.union
-
     aBlockVersion <-
-      fromMaybe (Update.protocolVersion upistate) <$> Update.protocolVersionEndorsementGen endorsementsList
+      Update.protocolVersionEndorsementGen upienv upistate
 
     UBlock
       <$> pure aBlockIssuer
@@ -424,16 +380,6 @@ instance HasTrace UBLOCK where
       <*> pure anOptionalUpdateProposal
       <*> pure aListOfVotes
       where
-        generateOnlyVotes = (Nothing,) <$> sigGen @UPIVOTES Nothing upienv upistate
-        generateUpdateProposalAndVotes = do
-          updateProposal <- sigGen @UPIREG Nothing upienv upistate
-          -- We want to have the possibility of generating votes for the proposal we
-          -- registered.
-          case applySTS @UPIREG (TRC (upienv, upistate, updateProposal)) of
-            Left _ ->
-              (Just updateProposal, ) <$> sigGen @UPIVOTES Nothing upienv upistate
-            Right upistateAfterRegistration ->
-              (Just updateProposal, ) <$> sigGen @UPIVOTES Nothing upienv upistateAfterRegistration
         nextSlotGen =
           incSlot <$> Gen.frequency
                       [ (5, Gen.integral (Range.constant 1 10))
@@ -494,7 +440,7 @@ ublockRelevantTracesAreCovered = withTests 150 $ property $ do
 
   -- With traces of length 500, we expect to see about 80-90 proposals, which means that we will
   -- have about 8 to 9 proposals scheduled for adoption.
-  cover 70
+  cover 60
     "at least 10% of the proposals get enough endorsements"
     (0.1 <= proposalsScheduledForAdoption sample / totalProposals sample)
 

byron/semantics/executable-spec/src/Control/State/Transition.hs

@@ -1,29 +1,29 @@
-{-# LANGUAGE AllowAmbiguousTypes    #-}
-{-# LANGUAGE DataKinds              #-}
-{-# LANGUAGE DeriveFunctor          #-}
-{-# LANGUAGE FlexibleContexts       #-}
-{-# LANGUAGE FlexibleInstances      #-}
-{-# LANGUAGE GADTs                  #-}
-{-# LANGUAGE KindSignatures         #-}
-{-# LANGUAGE MultiParamTypeClasses  #-}
-{-# LANGUAGE PolyKinds              #-}
-{-# LANGUAGE RankNTypes             #-}
-{-# LANGUAGE ScopedTypeVariables    #-}
-{-# LANGUAGE StandaloneDeriving     #-}
-{-# LANGUAGE TypeApplications       #-}
-{-# LANGUAGE TypeFamilies           #-}
+{-# LANGUAGE AllowAmbiguousTypes #-}
+{-# LANGUAGE DataKinds #-}
+{-# LANGUAGE DeriveFunctor #-}
+{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE FlexibleInstances #-}
+{-# LANGUAGE GADTs #-}
+{-# LANGUAGE KindSignatures #-}
+{-# LANGUAGE MultiParamTypeClasses #-}
+{-# LANGUAGE PolyKinds #-}
+{-# LANGUAGE RankNTypes #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+{-# LANGUAGE StandaloneDeriving #-}
+{-# LANGUAGE TypeApplications #-}
+{-# LANGUAGE TypeFamilies #-}
 {-# LANGUAGE TypeFamilyDependencies #-}
-{-# LANGUAGE UndecidableInstances   #-}
+{-# LANGUAGE UndecidableInstances #-}
 
 -- | Small step state transition systems.
 module Control.State.Transition where
 
-import Control.Monad (unless)
-import Control.Monad.Free.Church
-import Control.Monad.Trans.State.Strict (modify, runState)
+import           Control.Monad (unless)
+import           Control.Monad.Free.Church
+import           Control.Monad.Trans.State.Strict (modify, runState)
 import qualified Control.Monad.Trans.State.Strict as MonadState
-import Data.Foldable (find, traverse_)
-import Data.Kind (Type)
+import           Data.Foldable (find, traverse_)
+import           Data.Kind (Type)
 
 data RuleType
   = Initial
@@ -186,3 +186,8 @@ applySTS :: forall s rtype
 applySTS ctx = case applySTSIndifferently ctx of
   (st, []) -> Right st
   (_, pfs) -> Left pfs
+
+-- | This can be used to specify predicate failures in STS rules where a value
+-- is beyond a certain threshold.
+newtype Threshold a = Threshold a
+  deriving (Eq, Ord, Show)

byron/semantics/executable-spec/src/Control/State/Transition/Generator.hs

@@ -522,6 +522,8 @@ onlyValidSignalsAreGenerated maximumTraceLength = property $ do
   let result = applySTS @s (TRC(env, st', sig))
   -- TODO: For some reason the result that led to the failure is not shown
   -- (even without using tasty, and setting the condition to True === False)
+  footnoteShow st'
+  footnoteShow sig
   footnoteShow result
   void $ evalEither result