When Knossos fails, it gives output showing the sequence of events that violated linearizability. Porcupine seems to just return "false" from the checker. It would be great if it would show the underlying linearizability violation in a manner similar to Knossos.

Porcupine visualization is a great tool to view history of operations done in model. However it only graphs event history outputted from linearization.

In the real system there might be events that are not directly part of model of linearization, still they might have a influence of correctness of the system. For example we might want to test database like etcd correctness under different types of disruptions, like process kill. Process kill event is not directly part of linearization, however it would be really useful to be able to show the event in the visualization.

Would be great to have a method linearizationInfo.AddEvent(start, end int, name string), that allows to additional block that will be showed on the visualization. Additional recommendation would be to make linearizationInfo public struct. Having a public function returning private struct is a antipattern in Go.

As a workaround, it is possible to add this event as no-op operation to model. This however this will have negative impact on performance.

I think the etcd specification is incorrect:

A write can timeout

In this case, the Step function should not apply the write

Hey @anishathalye,

Thanks for the library, we're making pretty heavy use of this now in etcd and I spent the day to play around with it and check a toy database of mine.

While doing that, I came across an odd issue with sync.RWMutex which guards the three main operations (Get with ReadLock and Put+Delete with a WriteLock).

From sync.RWMutex:

A RWMutex is a reader/writer mutual exclusion lock. The lock can be held by an arbitrary number of readers or a single writer. The zero value for a RWMutex is an unlocked mutex.
If a goroutine holds a RWMutex for reading and another goroutine might call Lock, no goroutine should expect to be able to acquire a read lock until the initial read lock is released. In particular, this prohibits recursive read locking. This is to ensure that the lock eventually becomes available; a blocked Lock call excludes new readers from acquiring the lock.

Given this is implemented correctly in Go (I would assume so), this should give us linearizability over concurrent map operations. A single threaded happy path test runs correctly, the multi-goroutine one sadly returns Illegal.

The full code can be found in this commit: thomasjungblut@d01d216

And should be reproducible with a simple go test on the rwlock package.

I would love to attach a better visualization of this issue, however there's some issue with the JS in this particular case:

The more complex case from my toy database looks like this:

I'm rather curious as to why the "Get" was allowed to run during the "Put" and even the "Put" can overlap with another.
BTW I also suspect a clock resolution / backward movement issue with time.Now here...

EDIT: this also happens with a simple sync.Mutex.

Let me know what you think, especially if I screwed up the model somehow.

Hi @anishathalye

I write a simple check like:

type Request struct {
	// 0 for read, 1 for put
	Op int
	// put value
	Value int
}

type Resposne struct {
	// for read value
	Value int
	// for put ok
	Ok bool
}

func main() {
	m := porcupine.Model{
		Init: func() interface{} {
			return 5
		},
		Step: func(state interface{}, input interface{}, output interface{}) (bool, interface{}) {
			st := state.(int)
			inp := input.(Request)
			out := output.(Resposne)

			if inp.Op == 0 {
				// read
				ok := out.Value == st
				return ok, st
			}

			return out.Ok, inp.Value
		},
	}

	events := []porcupine.Event{
		porcupine.Event{Kind: porcupine.CallEvent, Value: Request{Op: 0}, Id: 1},
		porcupine.Event{Kind: porcupine.CallEvent, Value: Request{Op: 1, Value: 10}, Id: 2},
		porcupine.Event{Kind: porcupine.ReturnEvent, Value: Resposne{Ok: false}, Id: 2},
		porcupine.Event{Kind: porcupine.ReturnEvent, Value: Resposne{Value: 5}, Id: 1},
	}

	if !porcupine.CheckEvents(m, events) {
		panic("must be linearizable")
	}
}

The history is very easy, the init state is 5, event 1 does the read operation and event 2 writes 10 but fails. I think the history may be a linearizability but to my surprised, it panics. If I change the write Ok to true, it will work.

Can you tell me why or what do I need to change for the case?

Thank you very much.

Hi @anishathalye

I use Porcupine to verify my bank case but find it can't stop and run for a long time. I don't know why, but seem that my bank Model is right. see
https://github.com/siddontang/chaos/blob/master/db/tidb/bank.go#L222

You can check out the chaos repo and make verifier to build the chaos verifier, then run

./bin/chaos-verifier -names tidb_bank -history ./history.log

The history log is here

history.log

It is very appreicated that you can help me figure the problem out.

When testing changes to etcd robustness testing we have managed to generate 1.5GB visualization file.

The operation history is about 3k operatons, which is pretty short, however due to high request failure rate (50%) the linearization times out on 5 minutes. I expect the most of those 1.5GB comes from huge number of partial linearizations. Which makes sense as there might be exponential number of them.

The file is too big to be loaded by browser, could we maybe limit the size of partial linearizations to ensure that file size doesn't explode and we can still open it?

If you want to check out the file see https://github.com/etcd-io/etcd/actions/runs/9178286126?pr=17833, download one of the artifacts and look for "history.html" files in the archive.

Hi @anishathalye

I write a simple model to check bank transfer, see https://github.com/siddontang/chaos/blob/master/tidb/bank.go#L170

And I generate 5000 events, but to my surprise, the linearizability check is killed with OOM, but my server has 128 GB memory.

Here is the history log
history.log.zip
and I use https://github.com/siddontang/chaos/blob/master/tidb/bank.go#L246 to parse the history and verify it.

After calling CheckOperationsVerbose and getting a result I would love be able to access the "longest linearizable path" found. In the case of an Ok result this would be equivalent to the path shown in the visualization. In the case of an Illegal result the visualization can show a few different paths, in this case either the longest or all the paths would be useful to have access to.

The reason I am hoping to access this information is because we have written a step function that looks like this

func(state, input, output interface{}) (bool, interface{}) {
	model := state.(*Model)
	req := input.(*Req)
	res := output.(*Res)

	updatedModel, err := dst.Step(model, req.time, res.time, req.req, res.res, res.err)
	if err != nil {
		return false, model
	}

	return true, updatedModel
}

Our dst function returns an updated model and an error that contains additional useful information. In the case where the error is non nil, we report false to porcupine and the error information is effectively lost. If I could access the longest path (I'm hoping for a slice of type []porcupine.Operation) I could feed this information back into our dst model and report the error that occurs, this would be super helpful for debugging and developing.

If this is something that is possible and something you are up to add to porcupine I am happy to create a PR :)

Hi @anishathalye,

Currently, I am using https://github.com/pingcap/chaos to check strong consistency of TiDB. But porcupine don't work with too many events so all my tests are out of memory before my chaos run.

Can you give me any solution to check strong consistency of database with chaos?

Besides, I propose that we can run continuously test ( about 200 events logs per test) and use porcupine to check them. If all tests passed, the database would be strong consistency. Is that true?

How can one represent the ambiguity of timeout responses with porcupine?

When my application fails to handle a request by some specified deadline, it is unclear whether the request took effect or not. Knossos handles this ambiguity with the :info response type, but porcupine doesn't seem to have an equivalent. I think this concern needs to be built into the checker.

So how can porcupine handle ambiguous histories created by phenomena like timeouts?

Hi @anishathalye

I want to use porcupine in our bank transfer case. Our case has two operations:

1. read: read all account balances
2. transfer: random select two accounts and transfer some money

For simplicity, let's assume we only have two accounts 0 and 1. And I try to use porcupine like this:

package main

import (
	"reflect"

	"github.com/anishathalye/porcupine"
)

type bankRequest struct {
	// 0: read
	// 1: transfer from -> to with amount
	op     int
	from   int
	to     int
	amount int
}

type bankResponse struct {
	// read result
	balances []int64
        // read or transfer ok
	ok       bool
}

func newBankEvent(v interface{}, id uint) porcupine.Event {
	if _, ok := v.(bankRequest); ok {
		return porcupine.Event{Kind: porcupine.CallEvent, Value: v, Id: id}
	}

	return porcupine.Event{Kind: porcupine.ReturnEvent, Value: v, Id: id}
}

func getBankModel() porcupine.Model {
	return porcupine.Model{
		Init: func() interface{} {
                        // account 0 and 1 both have 1000 at first
			v := make([]int64, 2)
			for i := 0; i < 2; i++ {
				v[i] = 1000
			}
			return v
		},
		Step: func(state interface{}, input interface{}, output interface{}) (bool, interface{}) {
			st := state.([]int64)
			inp := input.(bankRequest)
			out := output.(bankResponse)

			if inp.op == 0 {
				// read
				ok := !out.ok || reflect.DeepEqual(st, out.balances)
				return ok, state
			}

			// for transfer
			if out.ok {
				newSt := append([]int64{}, st...)
				newSt[inp.from] -= int64(inp.amount)
				newSt[inp.to] += int64(inp.amount)
				return true, newSt
			}

			return false, st
		},
		Equal: func(state1, state2 interface{}) bool {
			return reflect.DeepEqual(state1, state2)
		},
	}
}

func main() {
	m := getBankModel()

	events := []porcupine.Event{
		newBankEvent(bankRequest{op: 0}, 1),
		newBankEvent(bankResponse{ok: true, balances: []int64{1000, 1000}}, 1),
                // try to transfer 500 from 0 to 1
		newBankEvent(bankRequest{op: 1, from: 0, to: 1, amount: 500}, 2),
		// In our case, the transfer may return fail because of some reasons, but the balance
		// is already transfered, so for next read, we will read the corrent data.
		newBankEvent(bankResponse{ok: false}, 2),
		newBankEvent(bankRequest{op: 0}, 3),
		newBankEvent(bankResponse{ok: true, balances: []int64{500, 1500}}, 3),
	}

	if !porcupine.CheckEvents(m, events) {
		panic("must be linearizable")
	}
}

Sadly, the check fails, but I have no idea how to fix this. Can you help me figure it out why the check can't work? Thank you.