consensus-testlib: add Test.CsjModel

[nfrisby]

This PR model is the result of troubleshooting some test failures. I found a minor non-optimality in CSJ (recall that CSJ is fundamentally an optimization), and with the non-centralized definition of the existing CSJ implementation it was challenging for me to establish confidence that there weren't similar issues. I developed this centralized model for more legibility/clarity, and I intend for it to be used at least to test the non-centralized CSJ implementation.

[nfrisby]

This type doesn't use AnchoredFragment for two reasons.

• As a model, I'm trying to keep it as simple as possible: so far, I don't need headers at all. And I can't put points in an AnchoredFragment because of the HasHeader constraint.

• So far, the model deals with chains that reach all the way back to Origin, not fragments. As long as that's true, it seems misleading to use AnchoredFragment.

[nfrisby]

The code no longer reaches all the way back to Genesis. It still doesn't involve headers explicitly, but perhaps AnchoredSeq could still be reused?

[nfrisby]

Overnight, I ran:

• 4 copies of -p\"/CSJ/&&/With some/&&/own thing/\" --quickcheck-tests 10000
• 28 copies of -p\"/CSJ/" --quickcheck-shrinks 1000 --quickcheck-tests 1000

The testsuite has a 10x factor, so three of the four CSJ tests ran 280000 times, and the fourth ran 680000 times.

All of those tests passed! 🙌 Encouraging.

Edit: .... but the Byron ThreadNet tests are failing 🤦
Edit 2: Nevermind, those Byron tests also fail (in my local build) for the intersection of this PR and origin/main as well as on origin/main itself.

[nfrisby]

I think the tree of the current tip commit is in pretty good shape.; passing huge number of -p/CSJ/ tests locally. We discussed next steps in our call today.

• I'll pause and ramp up on Leios Innovation work.
• @amesgen will start reviewing this PR.
• The nearest milestone seems to be: split out a smaller PR that merely abstracts the ChainSync client over the CSJ registerClient function and reorganize the tests in this PR just slightly so that CsjModel.hs is also used in the Genesis tests (maybe the TestSetup determines which governor, 50-50 and shrink to CsjModel.hs?).
• Principal remaining work for a follow-up PR is to confirm that the gap between the CSJ implementation and CsjModel.hs is just the risk of unnecessary header downloads and nothing more than that. Secondary remaining work is the flaky "node restart during sync" test.

[nfrisby]

The ~275000th local iteration of a test failed because I forgot to change the rotateDynamo call from the CSJ implementation to CsjModel.hs. I just pushed up a commit that fixed that.

However, the test case still fails, because CsjModel.hs's Demoting/Demoted pair doesn't account for the fact that the Dynamo being demoted might be stuck on the forecast range 🤦. So that's a TODO

Repro: cabal run ouroboros-consensus-diffusion:consensus-test -- --quickcheck-replay="(SMGen 646821712187648738 7938881144433598775,0)" -p '/stalling leashing attack/'

[nfrisby]

This Demoting isn't enough. Specifically:

• The Dynamo is adversarial, withholding blocks.
• But the Dynamo is serving the honest chain, and all Jumpers have fully accepted the latest jump request.
• The Dynamo has served some headers after that jump request, but not enough for another jump.

In this scenario, the Dynamo has the longest chain, so Devoted BlockFetch will favor them. Also, the Dynamo's ChainSync client is fully blocked until a new block arrives, which it won't. So it'll never send the Demoted stimulus---the demoted definition just below won't happen. So the CSJ state and the syncing node overall are now stuck.

I anticipate the smoothest way to fix this is to introduce a new NonDynamo which is FormerDynamo. The CSJ governor expects it to send MsgRollForward etc and also Demoted. Once it sends Demoted, it's just a Jumper again. The benefit is that this way a new Dynamo can be elected before this Dynamo being demoted raises Demoted.