Skip to content

Prove VSTS non-interference lemma #729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marshtompsxd merged 78 commits into from
Jan 5, 2026
Merged

Prove VSTS non-interference lemma #729

marshtompsxd merged 78 commits into from
Jan 5, 2026

Conversation

@Catoverflow
Copy link
Collaborator

@Catoverflow Catoverflow commented Jan 5, 2026
edited
Loading

This PR adds and proves VSTS non-interference lemma (lemma_no_interference) with a few assumptions to be proved in following PRs:

  • vsts_guarantee
  • no_interfering_request_between_vsts

Additional helper lemmas

And 2 helper lemmas needs to be proved in the future:

  • generated_name_has_vsts_prefix_implies_generate_name_field_has_vsts_prefix
  • vsts_name_non_eq_implies_no_pvc_name_match

Because of Verus' limited support for string they are not easy to prove.

Maybe @NikhilSDate can help on them and 2 assumptions above

These predicates are added and already proved for the shield lemma:

  • cluster.no_pending_request_to_api_server_from_non_controllers
  • seq_unequal_preserved_by_add_prefix

Change in VSTS rely conditions

Updated a few wrong and missing assimptions there

Change in VSTS spec

Change in cluster state machine

Cluster API Server state machine is updated to

  • make it easier for Verus to learn the change made by UpdateStatus requests and Update requests
  • add an additional check on req.owner_ref to make sure it's a controller owner for GetThenUpdate and GetThenDelete requests

Minor changes

  • remove no_pending_mutation_request_not_from_controller_on_vrs_objects as it's replaced by cluster.no_pending_request_to_api_server_from_non_controllers
  • rename generate_name to be generated_name

@Catoverflow
add framework for shield lemma, simplify lemma_eventually_always_no_p…
25efb36 
…ending_mutation_request_not_from_controller_on_vrs_objects
@Catoverflow
stage on shield lemma dependencies
60ef03c
@Catoverflow
add vsts prefix to pvc name schema
0e7ffa8
@Catoverflow
fix syntax
82cf324
@Catoverflow
forbid - in pvc name
59d1887
@Catoverflow
add seq_unequal_preserved_by_add_prefix and lemma_dash_free_prefix_pr…
2f5e84b 
…eserves_suffix_inequality
@Catoverflow
use dash_free
538e73a
@Catoverflow
fix rely guarantee
8ce8b39
@Catoverflow
finish no_interfering_request_between_vsts
21a0ad0
@Catoverflow
fix no_interfering_request_between_vsts
c5a0641
@Catoverflow
add trigger
d838732
@Catoverflow
refine no_interfering_request_between_vsts
0884ba9
@Catoverflow
add shield lemma
a49ec87
@Catoverflow
add drafts of lemma_no_interference
1ad8c47
@Catoverflow
introduce every_msg_from_vsts_controller_carries_vsts_key
e80fa6a
@Catoverflow
save progress on shield lemma
8f81567
@Catoverflow
rework rely conditions
19b5533
@Catoverflow
stage on shield lemma because of API server bug
168a95d
@Catoverflow
blocked by pod monkey
0c0b0ff
@Catoverflow
finish first branch with some holes
7550932
@Catoverflow
stage current progress on vsts_shield_lemma
8d15d94
@Catoverflow
add controller ref check
bf782cc
@Catoverflow
remove unnecessary rely conditions
7862ca8
@Catoverflow
add type helper and comment
a0c5a8f
@Catoverflow
relax conditions to conform with rely conditions
5755296
@Catoverflow
prove first half of shield lemma with clean assumptions
2db6afe
@Catoverflow
prove first half of shield lemma with clean assumptions
7a3e642
@Catoverflow
simplify proof
16ff2ee
@Catoverflow
further simplify proof
384b75c
@Catoverflow
prove CreateRequest branch
2fa4573
@marshtompsxd
Copy link
Collaborator

marshtompsxd commented Jan 5, 2026

"Shield" is just a nickname. We should call it the non-interference lemma (you don't need to rename the file or lemma).

@marshtompsxd marshtompsxd changed the title VSTS shield lemma Prove VSTS non-interference lemma Jan 5, 2026
marshtompsxd
marshtompsxd reviewed Jan 5, 2026
View reviewed changes
@Catoverflow
Copy link
Collaborator Author

Catoverflow commented Jan 5, 2026

We should call it the non-interference lemma (you don't need to rename the file or lemma).

Good catch, though I want a cooler name for it :3

@marshtompsxd marshtompsxd added this pull request to the merge queue Jan 5, 2026
Merged via the queue into main with commit 0380b77 Jan 5, 2026
11 checks passed
@Catoverflow Catoverflow deleted the vsts_shield_lemma branch January 5, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marshtompsxd marshtompsxd marshtompsxd left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Stricter checking/validation of statefulset pvcs

3 participants

@Catoverflow @marshtompsxd