beacon/light: add CommitteeChain #27766
Conversation
zsfelfoldi
force-pushed
the
committee_chain
branch
from
fd9d0d3
to
b9a5266
Compare
zsfelfoldi
force-pushed
the
committee_chain
branch
from
b9a5266
to
0c25b5d
Compare
| // and the update signature is valid and has enough participants. | ||
| // The committee at the next period (proven by the update) should also be | ||
| // present (note that this means they can only be added together if neither | ||
| // is present yet). If a fixed root is present at the next period then the |
There was a problem hiding this comment.
If a fixed root is present at the next period then the update can only be present if it proves the same committee root.
Can you explain why this scenaio is posssible that a "future" fixed root is configured.
If the local chain is stale and we restart it with a latest checkpoint, we can simply
reset the whole committee chain and initializes it with the given latest checkpoint?
I would like to simplify the situation a bit, that committeeChain starts from a external
configured, trusted committee and then extend it with signed updates. Also we can
provide a external API called SetChain or so to manually rewind if something bad
happens. Maybe I miss something?
There was a problem hiding this comment.
"Future" fixed roots typicaliy do not exist on their own, except right after checkpoint init when we have fixed roots at P and P+1, a committee at P and no updates. In servers connected to a trusted local full beacon node, new updates and committees are always fixed so that a fixed root is set and then the update and committee are added. This ensures that the same syncing mechanism can be used everywhere and it can improve existing updates to better ones that prove the same committee root, but cannot reorg the existing chain even if there is an ongoing attack that somehow manages to generate better sync committee updates (note that this is unfortunately not slashable atm). In this scenario the real chain is still retained by honest servers and clients can manually fix by updating their checkpoint.
All of this is elegant from one viewpoint and maybe complicated from another, but this is not the main reason for its existence. The real reason for the possibility of fixing further roots after init is backward syncing; servers have to sync old data from other server (both the committee chain and other chain/state data) after being initialized, otherwise older data would get harder to access over time. Backward syncing committees is only possible if we first fix the roots (either based on a trusted local beacon node or a historical state proof).
There was a problem hiding this comment.
I have two main concerns to challenge the design:
- Why do we still have the trusted server assumption. I can understand servers and clients start with a trusted checkpoint, but all the later chain extension must be verified, no trust assumption is required, isn't it?
If there is some attacks and servers/clients can easily be switched to attack chain, I will say this sync committee is wrong by design.
- Can you elaborate how to backward sync the committee chain? The initial external set checkpoint specifies the committee for verifying the updates belong to this period, it's unable to verify any pre-period updates.
There was a problem hiding this comment.
- "trusted" in this context means a local beacon node that is connected to a Geth instance acting as a light server; so it is your own node which you should trust over anything else. Clients of course do not need trusted servers.
The attack vector I mentioned (bribing the supermajority of sync committee signers) is hopefully mostly theoretical but still, I feel it's best to reduce the potential chance of success (actually misleading clients) as the honest servers will still propagate the proper updates.
Btw there is another, maybe more probable scenario where it makes sense to fix roots according to the local beacon node: if the participation score of the best available update is below the default threshold setting. In this case clients can decide to slightly lower their own threshold but servers should always propagate the best available update so that clients have this option. With a fixed root at the next period, the server'sCommitteeChaincan accept the update even if its score is below the threshold (now that I checked, I did not add this condition yet but I will do so now).
There was a problem hiding this comment.
- with the
historical_rootsandstate_rootstrees we can prove any old beacon state from the most recent one and the old beacon state can prove the old committee root. Btw servers will not only backward sync committees but also checkpoints from each other, so that if the client knows an older checkpoint hash it can still be served. The beacon state proofs proving execution block roots is also synced from other servers so that old exec blocks can be proven (this is what replaces the old CHTs). Since beacon state is only generated for new blocks and beacon nodes do not retain it for very long, it is a generally necessary mechanism for our use cases to retain certain parts of the old beacon states on the server side and also to be able to sync it from other servers. This is already implemented and will be a part of a future PR.
beacon/light/committee_chain.go
Outdated
| // AddFixedRoot sets a fixed committee root at the given period. | ||
| // Note that the period where the first committee is added has to have a fixed | ||
| // root which can either come from a CheckpointData or a trusted source. | ||
| func (s *CommitteeChain) AddFixedRoot(period uint64, root common.Hash) error { |
There was a problem hiding this comment.
Any particular reason to have this function?
I think it should only be used to initialize the committeeChain with some external configured root?
Is it possible to add the root after initialization to force the committeeChain to reorg to some branch?
There was a problem hiding this comment.
It as also required for backward syncing committees. For servers connected to a trusted local full beacon node, the easiest way to use CommitteeChain is to just set a fixed root for each committee fetched from the local node. Client-servers (light clients that also propagate beacon chain proofs to others) can use state proofs to prove old committee roots and set them as fixed roots.
There was a problem hiding this comment.
I think it relies on the assumption that the beacon node is trustful, to make backward sync feasible. I guess it's a valid scenario that some entities want to sync the full committee chain.
But I will just go with anther direction, we can set the initial checkpoint with the earliest one and do "forward" sync then. In this case, we can get rid of the complexity of "backward" sync. IIUC, backward sync just fetches the pre-checkpoints one by one and trust them blindly. It's way more elegant to set the initial checkpoint as early as possible and then extend chain with algorithm.
In order to make this sync viable, we need to ensure the updates belong to past period is still available. Do we have any API to fetch updates of specific period?
There was a problem hiding this comment.
It is a basic property of PoS that proofs get weaker over time. Clients may choose to trust a checkpoint that is a year old but servers should definitely not light sync the entire chain history from the beginning (or a very old checkpoint). On the other hand, we can easily and trustlessly prove anything from the most recent head which is always the safest starting point. As I wrote above, backward syncing old beacon state data is required anyways for execution root proofs.
beacon/light/committee_chain.go
Outdated
| defer s.chainmu.Unlock() | ||
|
|
||
| period := update.AttestedHeader.Header.SyncPeriod() | ||
| if !s.updates.periods.CanExpand(period) || !s.committees.periods.Includes(period) { |
There was a problem hiding this comment.
Do we support backward committee chain sync?
e.g. We have update list [U2, U3, U4] and committee list [C2, C3, C4, C5], can we extend with update_1?
I guess it's impossible to verify the update_1 lacking of committee_1 right?
If so, should we reject the backward extendable update, and only accept (1) the update of next period (2) the update of last period?
There was a problem hiding this comment.
It is possible to prove an old committee root through a historical state root from the recent head. You can then add it as a fixed root and fetch the belonging committee and update. This is not used by simple clients but servers (or clients which also serve data) will do backward syncing of committees and checkpoints, so that other clients can sync up from an earlier checkpoint.
There was a problem hiding this comment.
Sounds cool. So the checkpoint actually acts as a chain aggregator, through which we can obtain the whole historical chain.
There was a problem hiding this comment.
It is possible to prove an old committee root through a historical state root from the recent head
Can you point me the corresponding spec for it?
There was a problem hiding this comment.
https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#beaconstate
See state_roots and historical_roots. Every new beacon state refers to every previous beacon state so we can prove old committees through the old beacon state (and also old execution block roots which is also required).
zsfelfoldi
force-pushed
the
committee_chain
branch
from
507fd56
to
fae81f9
Compare
| fixedRoots *canonicalStore[common.Hash] | ||
| committeeCache *lru.Cache[uint64, syncCommittee] // cache deserialized committees | ||
|
|
||
| clock mclock.Clock // monotonic clock (simulated clock in tests) |
There was a problem hiding this comment.
Why do you need both the clock and unixNano here?
I think you can get away with either a function that returns the current time or a mclock.Clock that can either be mclock.Simulated or mclock.System.
There was a problem hiding this comment.
I need the actual system time for checking signature age. For other use cases I like mclock which is guaranteed monotonic and does not change when the system time is changed, so I need both. By not exposing these in the constructor it becomes a lot less ugly though.
|
|
||
| // newCommitteeChain creates a new CommitteeChain with the option of replacing the | ||
| // clock source and signature verification for testing purposes. | ||
| func newCommitteeChain(db ethdb.KeyValueStore, config *types.ChainConfig, signerThreshold int, enforceTime bool, sigVerifier committeeSigVerifier, clock mclock.Clock, unixNano func() int64) *CommitteeChain { |
There was a problem hiding this comment.
Probably good to just roll this up into NewCommitteeChain?
There was a problem hiding this comment.
See #27766 (comment)
| // them in memory, associated with a continuous range of period numbers. | ||
| // Note: canonicalStore is not thread safe and it is the caller's responsibility | ||
| // to avoid concurrent access. | ||
| type canonicalStore[T any] struct { |
There was a problem hiding this comment.
I don't know if this should live in the light package. Maybe would be better in internal? Also is there an equivalent structure for storing regular chaindata? I think it is good to avoid creating new single-use generic data structures when possible.
There was a problem hiding this comment.
Sure, we can think about it as general purpose but on the other hand I see no other use case for it outside package light right now. I'll leave it as it is for now, according to the 2:1 vote results :)
beacon/light/range.go
Outdated
|
|
||
| package light | ||
|
|
||
| // Range represents a (possibly zero-length) range of integers (sync periods). |
There was a problem hiding this comment.
Another pretty generic object; is there a reason to have this in light vs. common or internal?
There was a problem hiding this comment.
See above, I'd leave it for now.
beacon/light/range.go
Outdated
|
|
||
| // Range represents a (possibly zero-length) range of integers (sync periods). | ||
| type Range struct { | ||
| First, Next uint64 |
There was a problem hiding this comment.
I find "first" and "next" a bit confusing for a range. IMO "start" and "end" would make much more sense.
There was a problem hiding this comment.
Ah, so as I undersand it after looking at it for a while, the Range is actually [first, next[, whereas start/end would be instead have to be [start, end]
There was a problem hiding this comment.
This is so far the best suggestion, accepted :) At one point it was "first" and "afterLast", that was probably the worst one.
There was a problem hiding this comment.
I just realized you meant [start, end] and not [start, end[. The reason I want the second value to point after the range it because I want to be able to handle zero length ranges without them being a special case most of the time.
beacon/light/range.go
Outdated
| // CanExpand returns true if the range includes or can be expanded with the given | ||
| // period (either the range is empty or the given period is inside, right before or | ||
| // right after the range). | ||
| func (a Range) CanExpand(period uint64) bool { |
There was a problem hiding this comment.
This method feels a bit overzealous. Wouldn't it be better to simply check if the value would increase the range by only 1, preferably at the end? Is there a reason to also check if the period is contained within the Range?
There was a problem hiding this comment.
This exact check is needed in many places so I'd rather keep it, maybe change its name if there is a better suggestion. canonicalStore operates on items in continuous ranges and does not care any further about how it's used. It is sometimes expanded on both ends. The CommitteeChain uses three canonicalStores so it also needs this check to check whether it can add a certain item.
beacon/light/range.go
Outdated
| } | ||
|
|
||
| // Expand expands the range with the given period (assumes that CanExpand returned true). | ||
| func (a *Range) Expand(period uint64) { |
There was a problem hiding this comment.
This one also seems too powerful. I think it should be clearer which direction the range is being increased towards.
beacon/light/committee_chain.go
Outdated
| updates *canonicalStore[*types.LightClientUpdate] | ||
| committees *canonicalStore[*types.SerializedSyncCommittee] | ||
| fixedRoots *canonicalStore[common.Hash] |
There was a problem hiding this comment.
What is the purpose of storing historical values here? In the light client spec, the store only stores the latest values and is constant size: https://github.com/ethereum/consensus-specs/blob/dev/specs/altair/light-client/sync-protocol.md#lightclientstore
--
Unrelated, this name fixedRoots is a bit ambiguous. Maybe committeeRoots would be better? Should the values in the committees store match the fixed roots values?
There was a problem hiding this comment.
CommitteeChain is also used by servers. Actually I want light clients to also be able to serve light sync data (committee chain and latest signed head) to other clients. I'd like to move away from the strict client-server separation and make it a typical use case that some node follows the beacon chain as a light client but then processes and serves the state, or just updates and serves a slice of the state.
Another reason to have the chain even as a client-only node is the hopefully largely theoretical possibility of low sync committee signer participation where we might temporarily accept below 2/3 signers but this means that reorgs are also possible. I hope this will never come up on mainnet but the capability of recovering from such a scenario could make such an attack unfeasible.
Also we can later add a prune feature to CommitteeChain so if one really wants to be lightweight then always pruning everything before the latest period is still an option.
There was a problem hiding this comment.
I agree about "fixedRoots", renamed to "fixedCommitteeRoots".
beacon/light/committee_chain.go
Outdated
| } | ||
|
|
||
| // AddCommittee adds a committee at the given period if possible. | ||
| func (s *CommitteeChain) AddCommittee(period uint64, committee *types.SerializedSyncCommittee) error { |
There was a problem hiding this comment.
Shouldn't this be driven by InsertUpdate?
There was a problem hiding this comment.
Committees can be added in two ways: either together with an update that proves its validity or separately, based on a fixed committee root. This is how the chain is initialized, the bootstrap data proves two committee roots that we can set as fixed, and one full committee that we can add right away via this function. You cannot call InsertUpdate until at least one committee has been added.
It can also be used by servers who want to backfill some committees based on historical beacon state proofs that can also prove old committee roots. This is why I exported AddFixedCommitteeRoot and AddCommittee separately, because root proving can be done in different ways and getting the actual committee might happen at a different time.
zsfelfoldi
force-pushed
the
committee_chain
branch
from
bc919c1
to
4d71502
Compare
beacon/light/committee_chain.go
Outdated
| // DeleteFixedCommitteeRootsFrom deletes fixed roots starting from the given period. | ||
| // It also maintains chain consistency, meaning that it also deletes updates and | ||
| // committees if they are no longer supported by a valid update chain. | ||
| func (s *CommitteeChain) DeleteFixedCommitteeRootsFrom(period uint64) error { |
beacon/light/canonical.go
Outdated
| cache *lru.Cache[uint64, T] | ||
| encode func(T) ([]byte, error) | ||
| decode func([]byte) (T, error) |
There was a problem hiding this comment.
I am not sure that using generics here is a good thing.
-
In the constructor to committee chain, you define on-the-fly decoders and encoders, and initiate the canonicalStores. That is a bit clunky, IMO, and not the most elegant/readable way to organize the code.
-
The caches are all lru of size 100. But typically, we would want to use different cache sizes depending on how heavy the items are. In blockchain, we cache more headers than blocks, for example.
I think this could be written a bit dumbed-down as three explicit stores, perhaps with some shared methods, without expanding the code too much. I'm not 100% sure though, maybe I'll have to try it out.
There was a problem hiding this comment.
Here's a proof of concept of a no-generics rewrite: https://github.com/zsfelfoldi/go-ethereum/pull/22/files
+289, -185 LOC, so maybe the generics-version wins. I dunno.
There was a problem hiding this comment.
I feel like this is a typical use case for generics and it is probably better than the duplication in your version. Maybe I could do encode/decode more elegantly and also use a param for the cache size (though it's not really an issue because they all operate on the same range of periods). I'll think about it.
There was a problem hiding this comment.
How about keeping generics but getting rid of custom encoders, only rely on rlp-encoding things?
There was a problem hiding this comment.
For
SerializeSyncCommitte: it would consume24627bytes instead of24624bytes.LightClientUpdate: no changeFixedCommitteeRoot(common.Hash): it would consume33bytes instead of32.
I think that would be much better.
Alternatively, if you want to be more explicit, you could do
type codec struct {
rlp.Encoder
rlp.Decoder
}
...
type canonicalStore[T codec] struct {
keyPrefix []byte
...But then you need to add custom marshallers/unmarshallers on the types.
| // | ||
| // Once synced to the current sync period, CommitteeChain can also validate | ||
| // signed beacon headers. | ||
| type CommitteeChain struct { |
There was a problem hiding this comment.
Why does this type, and, for that matter, the constructor NewComitteeChain, need to be public?
Aren't we going to use them as internals in some upcoming BeaconChain type?
There was a problem hiding this comment.
No, it is not encapsulated in a bigger structure. In the blsync code it is synced by a sync module in package beacon/light/sync where it is also used by another module to validate incoming new heads.
See the latest blsync branch:
https://github.com/zsfelfoldi/go-ethereum/tree/blsync-nofinal4
| if a.End == period { | ||
| a.End++ | ||
| } | ||
| } |
There was a problem hiding this comment.
You could add two methods:
// Split splits the range into two ranges. The 'fromPeriod' will be the first
// element in the second range (if present).
// The original range is unchanged by this operation
func (a *Range) Split(fromPeriod uint64) (Range, Range) {
if fromPeriod <= a.Start {
// First range empty, everything in second range,
return Range{}, Range{a.Start, a.End}
}
if fromPeriod > a.End {
// Second range empty, everything in first range,
return Range{a.Start, a.End}, Range{}
}
x := Range{a.Start, fromPeriod - 1}
y := Range{fromPeriod, a.End}
return x, y
}
// Each invokes the supplied function fn once per period in range
func (a *Range) Each(fn func(uint64)) {
for p := a.Start; p < a.End; p++ {
fn(p)
}
}Then the canonical store would be simplified... (see below)
beacon/light/canonical.go
Outdated
| if fromPeriod >= cs.periods.End { | ||
| return | ||
| } | ||
| if fromPeriod < cs.periods.Start { | ||
| fromPeriod = cs.periods.Start | ||
| } | ||
| deleted = Range{Start: fromPeriod, End: cs.periods.End} | ||
| for period := fromPeriod; period < cs.periods.End; period++ { | ||
| batch.Delete(cs.databaseKey(period)) | ||
| cs.cache.Remove(period) | ||
| } | ||
| if fromPeriod > cs.periods.Start { | ||
| cs.periods.End = fromPeriod | ||
| } else { | ||
| cs.periods = Range{} | ||
| } | ||
| return | ||
| } |
There was a problem hiding this comment.
| if fromPeriod >= cs.periods.End { | |
| return | |
| } | |
| if fromPeriod < cs.periods.Start { | |
| fromPeriod = cs.periods.Start | |
| } | |
| deleted = Range{Start: fromPeriod, End: cs.periods.End} | |
| for period := fromPeriod; period < cs.periods.End; period++ { | |
| batch.Delete(cs.databaseKey(period)) | |
| cs.cache.Remove(period) | |
| } | |
| if fromPeriod > cs.periods.Start { | |
| cs.periods.End = fromPeriod | |
| } else { | |
| cs.periods = Range{} | |
| } | |
| return | |
| } | |
| keepRange, deleteRange := cs.periods.Split(fromPeriod) | |
| deleteRange.Each(func(period uint64) { | |
| batch.Delete(cs.databaseKey(period)) | |
| cs.cache.Remove(period) | |
| }) | |
| cs.periods = keepRange | |
| return deleteRange | |
| } |
There was a problem hiding this comment.
Thanks, indeed it's nicer :)
beacon/light/canonical.go
Outdated
| func newCanonicalStore[T any](db ethdb.KeyValueStore, keyPrefix []byte, | ||
| encode func(T) ([]byte, error), decode func([]byte) (T, error)) *canonicalStore[T] { | ||
| cs := &canonicalStore[T]{ | ||
| db: db, |
There was a problem hiding this comment.
It's a bit funky that you have a db here. Whereas in some cases, like add, you take a backend ethdb.KeyValueWriter.
The cs.db is only used in get and in this iterator here. Feels a bit inconsistent, api-wise.
There was a problem hiding this comment.
Indeed, it was a bit weird because of the batch operations. Now I always use an external db param.
beacon/light/canonical.go
Outdated
| if value, ok = cs.cache.Get(period); ok { | ||
| return | ||
| } | ||
| if enc, err := cs.db.Get(cs.databaseKey(period)); err == nil { |
There was a problem hiding this comment.
Is it intentional not to add the resolved value to the cache?
There was a problem hiding this comment.
It wasn't, fixed.
beacon/light/canonical.go
Outdated
| if enc, err := backend.Get(cs.databaseKey(period)); err == nil { | ||
| if v, err := cs.decode(enc); err == nil { | ||
| value, ok = v, true | ||
| cs.cache.Add(period, value) | ||
| } else { | ||
| log.Error("Error decoding canonical store value", "error", err) | ||
| } | ||
| } else { | ||
| log.Error("Canonical store value not found", "period", period, "start", cs.periods.Start, "end", cs.periods.End) | ||
| } | ||
| return |
There was a problem hiding this comment.
The logic here is a bit non-idiomatic, and it's kind of difficult to see that this chunk of code ignores one error (namely, if the backend.Get returns an error, it gets silently overlooked).
Please move things around so that you terminate on the happy path
- Do operation
- if error, handle
- do another operation
- if error handle
...
N. Success all the way
There was a problem hiding this comment.
Done; I also removed the named return values, I think it's much more readable now.
beacon/light/canonical.go
Outdated
| func (cs *canonicalStore[T]) deleteFrom(batch ethdb.Batch, fromPeriod uint64) (deleted Range) { | ||
| keepRange, deleteRange := cs.periods.Split(fromPeriod) | ||
| deleteRange.Each(func(period uint64) { | ||
| batch.Delete(cs.databaseKey(period)) | ||
| cs.cache.Remove(period) | ||
| }) |
There was a problem hiding this comment.
| func (cs *canonicalStore[T]) deleteFrom(batch ethdb.Batch, fromPeriod uint64) (deleted Range) { | |
| keepRange, deleteRange := cs.periods.Split(fromPeriod) | |
| deleteRange.Each(func(period uint64) { | |
| batch.Delete(cs.databaseKey(period)) | |
| cs.cache.Remove(period) | |
| }) | |
| func (cs *canonicalStore[T]) deleteFrom(db ethdb.KeyValueWriter, fromPeriod uint64) (deleted Range) { | |
| keepRange, deleteRange := cs.periods.Split(fromPeriod) | |
| deleteRange.Each(func(period uint64) { | |
| db.Delete(cs.databaseKey(period)) | |
| cs.cache.Remove(period) | |
| }) |
Let's use minimal interfaces
beacon/light/canonical.go
Outdated
|
|
||
| // newCanonicalStore creates a new canonicalStore and loads all keys associated | ||
| // with the keyPrefix in order to determine the ranges available in the database. | ||
| func newCanonicalStore[T any](db ethdb.KeyValueStore, keyPrefix []byte, |
There was a problem hiding this comment.
| func newCanonicalStore[T any](db ethdb.KeyValueStore, keyPrefix []byte, | |
| func newCanonicalStore[T any](db ethdb.Iteratee, keyPrefix []byte, |
There was a problem hiding this comment.
Done, though I'm not really sure whether it's really better to use different interfaces for the same backing database in different functions. I guess it's mostly a matter of taste, now at least we consistently use minimally required interfaces.
beacon/light/canonical.go
Outdated
| func (cs *canonicalStore[T]) databaseKey(period uint64) []byte { | ||
| var ( | ||
| kl = len(cs.keyPrefix) | ||
| key = make([]byte, kl+8) | ||
| ) | ||
| copy(key[:kl], cs.keyPrefix) | ||
| binary.BigEndian.PutUint64(key[kl:], period) | ||
| return key | ||
| } |
There was a problem hiding this comment.
| func (cs *canonicalStore[T]) databaseKey(period uint64) []byte { | |
| var ( | |
| kl = len(cs.keyPrefix) | |
| key = make([]byte, kl+8) | |
| ) | |
| copy(key[:kl], cs.keyPrefix) | |
| binary.BigEndian.PutUint64(key[kl:], period) | |
| return key | |
| } | |
| func (cs *canonicalStore[T]) databaseKey(period uint64) []byte { | |
| return binary.BigEndian.AppendUint64(cs.keyPrefix, period) | |
| } |
Isn't this equivalent?
There was a problem hiding this comment.
Maybe this is safer
func (cs *canonicalStore[T]) databaseKey(period uint64) []byte {
return binary.BigEndian.AppendUint64(append(nil, cs.keyPrefix...), period)
}There was a problem hiding this comment.
I learned something today :) (never noticed that an AppendUint64 exists)
beacon/light/range.go
Outdated
| package light | ||
|
|
||
| // Range represents a (possibly zero-length) range of integers (sync periods). | ||
| type Range struct { |
There was a problem hiding this comment.
Must it be public? Please make it non-exported, for now at least
There was a problem hiding this comment.
done (I had to rename it to periodRange because range is a reserved word)
beacon/light/canonical.go
Outdated
| } else if cs.periods.End != period { | ||
| log.Warn("Gap in the canonical chain database") | ||
| break // continuity guaranteed | ||
| } |
There was a problem hiding this comment.
Also, a bit curious about this. We have a similar thing in ancients, where we have n 'tables', and during startup we sanity-check, and if any one table (e.g bodies) is shorter than the others, we need to trim the others so that they align.
In this code, you simply log a message and move on. What is the failure mode here? Is it an acceptable error if e.g. the updates are not aligned with the committee roots? Seems like we have three options
- As is: use what we have -- the range found, and move on
- Correlate: try to ensure that the three stores are aligned, if that's even applicable
- Error: raise a proper error to the calling code
There was a problem hiding this comment.
I went with the last option, there is no need to fix a faulty database here since it's easy enough to resync. This is also what checkConstraints does, the db is reset if it fails. Probably this is what would happen anyway if one of the stores were truncated. Now I return proper errors, show the error log and then reset the db just like in case of other inconsistencies.
|
Changes lgtm, but I have one remaining issue. I don't like on-the-fly encoders and decoders, in the canonicalStore. There are two possible fixes, as I see it.
|
Indeed, the overhead is very minimal, especially in absolute terms. Now it always uses rlp. |
This change implements CommitteeChain which is a key component of the beacon light client. It is a passive data structure that can validate, hold and update a chain of beacon light sync committees and updates, starting from a checkpoint that proves the starting committee through a beacon block hash, header and corresponding state. Once synced to the current sync period, CommitteeChain can also validate signed beacon headers.
This change implements CommitteeChain which is a key component of the beacon light client. It is a passive data structure that can validate, hold and update a chain of beacon light sync committees and updates, starting from a checkpoint that proves the starting committee through a beacon block hash, header and corresponding state. Once synced to the current sync period, CommitteeChain can also validate signed beacon headers.
This change implements CommitteeChain which is a key component of the beacon light client. It is a passive data structure that can validate, hold and update a chain of beacon light sync committees and updates, starting from a checkpoint that proves the starting committee through a beacon block hash, header and corresponding state. Once synced to the current sync period, CommitteeChain can also validate signed beacon headers.
* cmd, core, trie: verkle-capable `geth init` (ethereum#28270) This change allows the creation of a genesis block for verkle testnets. This makes for a chunk of code that is easier to review and still touches many discussion points. * eth/tracers/js: fix isPush for push0 (ethereum#28520) Fixes so that `push0` opcode is correctly reported as `true` by the `IsPush` function --------- Co-authored-by: Martin Holst Swende <martin@swende.se> * trie: spelling - fix comments in hasher (ethereum#28507) Co-authored-by: VM <arimas@foxmail.com> * tests/fuzzers: move fuzzers into native packages (ethereum#28467) This PR moves our fuzzers from tests/fuzzers into whatever their respective 'native' package is. The historical reason why they were placed in an external location, is that when they were based on go-fuzz, they could not be "hidden" via the _test.go prefix. So in order to shove them away from the go-ethereum "production code", they were put aside. But now we've rewritten them to be based on golang testing, and thus can be brought back. I've left (in tests/) the ones that are not production (bls128381), require non-standard imports (secp requires btcec, bn256 requires gnark/google/cloudflare deps). This PR also adds a fuzzer for precompiled contracts, because why not. This PR utilizes a newly rewritten replacement for go-118-fuzz-build, namely gofuzz-shim, which utilises the inputs from the fuzzing engine better. * tests: skip tests on windows 32bit CI (ethereum#28521) tests: skip half the blockchain- and state-tests on windows 32bit CI-tests * cmd/geth: more special cases logging tests (ethereum#28527) adds logging tests for errors and custom fmt.Stringer-types which output strings that needs to be quoted/escaped. * accounts,cmd,console,les,metrics: refactor some errors checked by (ST1005) go-staticcheck (ethereum#28532) fix: fix some (ST1005)go-staticcheck * miner: run tests in parallel (ethereum#28506) Changes many of the tests in the miner package to run in parallel * internal/jsre/deps: fix typo in jsdoc (ethereum#28511) minor typo fix * accounts/abi: improve readability of method-to-string conversion (ethereum#28530) refactor: improve readability of NewMethod print * all: replace some cases of strings.SplitN with strings.Cut (ethereum#28446) * ethdb/memorydb, trie: reduced allocations (ethereum#28473) * trie: use pooling of iterator states in iterator The node iterator burns through a lot of memory while iterating a trie, and a lot of that can be avoided by using a fairly small pool (max 40 items). name old time/op new time/op delta Iterator-8 6.22ms ± 3% 5.40ms ± 6% -13.18% (p=0.008 n=5+5) name old alloc/op new alloc/op delta Iterator-8 2.36MB ± 0% 1.67MB ± 0% -29.23% (p=0.008 n=5+5) name old allocs/op new allocs/op delta Iterator-8 37.0k ± 0% 29.8k ± 0% ~ (p=0.079 n=4+5) * ethdb/memorydb: avoid one copying of key By making the transformation from []byte to string at an earlier point, we save an allocation which otherwise happens later on. name old time/op new time/op delta BatchAllocs-8 412µs ± 6% 382µs ± 2% -7.18% (p=0.016 n=5+4) name old alloc/op new alloc/op delta BatchAllocs-8 480kB ± 0% 490kB ± 0% +1.93% (p=0.008 n=5+5) name old allocs/op new allocs/op delta BatchAllocs-8 3.03k ± 0% 2.03k ± 0% -32.98% (p=0.008 n=5+5) * Dockerfile: update Go to 1.21 (ethereum#28538) * cmd/evm: validate blockchain tests poststate account storage (ethereum#28443) This PR verifies the accounts' storage as specified in a blockchain test's postState field The expect-section, it does really only check that the test works. It's meant for the test-author to verify that "If the test does what it's supposed to, then the nonce of X should be 2, and the slot Y at Z should be 0x123. This expect-section is not exhaustive (not full post-state) It is also not auto-generated, but put there manually by the author. We can still check it, as a test-sanity-check, in geth * signer: run tests in parallel (ethereum#28536) marks tests as parallel-safe in package signer * accounts, cmd: fix typos (ethereum#28526) * core/txpool/legacypool: respect nolocals-setting (ethereum#28435) This change adds a check to ensure that transactions added to the legacy pool are not treated as 'locals' if the global locals-management has been disabled. This change makes the pool enforce the --txpool.pricelimit setting. * cmd: run tests in parallel (ethereum#28546) * core/state/snapshot: print correct error from trie iterator (ethereum#28560) * cmd/evm: capitalize evm commands (ethereum#28569) * standard:fix for a unified standard * standard:fix more as a complements --------- Co-authored-by: haotian <haotian@haotiandeMacBook-Air.local> * accounts/abi: context info on unpack-errors (ethereum#28529) adds contextual information to errors returned by unpack * core, trie, rpc: speed up tests (ethereum#28461) * rpc: make subscription test faster reduces time for TestClientSubscriptionChannelClose from 25 sec to < 1 sec. * trie: cache trie nodes for faster sanity check This reduces the time spent on TestIncompleteSyncHash from ~25s to ~16s. * core/forkid: speed up validation test This takes the validation test from > 5s to sub 1 sec * core/state: improve snapshot test run brings the time for TestSnapshotRandom from 13s down to 6s * accounts/keystore: improve keyfile test This removes some unnecessary waits and reduces the runtime of TestUpdatedKeyfileContents from 5 to 3 seconds * trie: remove resolver * trie: only check ~5% of all trie nodes * ethdb/pebble: don't double-close iterator inside pebbleIterator (ethereum#28566) Adds 'released' flag to pebbleIterator to avoid double closing cockroachdb/pebble.Iterator as it is an invalid operation. Fixes ethereum#28565 * eth/filters: reuse error msg for invalid block range (ethereum#28479) * core/types: make 'v' optional for DynamicFeeTx and BlobTx (ethereum#28564) This fixes an issue where transactions would not be accepted when they have only 'yParity' and not 'v'. * rpc: improve performance of subscription notification encoding (ethereum#28328) It turns out that encoding json.RawMessage is slow because package json basically parses the message again to ensure it is valid. We can avoid the slowdown by encoding the entire RPC notification once, which yields a 30% speedup. * cmd/utils: validate pre-existing genesis in --dev mode (ethereum#28468) geth --dev can be used with an existing data directory and genesis block. Since dev mode only works with PoS, we need to verify that the merge has happened. Co-authored-by: Felix Lange <fjl@twurst.com> * cmd/geth: add support for --dev flag in dumpgenesis (ethereum#28463) Co-authored-by: Felix Lange <fjl@twurst.com> Co-authored-by: lightclient <lightclient@protonmail.com> * les/vflux: run tests in parallel (ethereum#28524) * cmd/{geth,utils}: add cmd to export preimages in snap enumeration order (ethereum#28256) Adds a subcommand: `geth snapshot export-preimages`, to export preimages of every hash found during a snapshot enumeration: that is, it exports _only the active state_, and not _all_ preimages that have been used but are no longer part of the state. This tool is needed for the verkle transition, in order to distribute the preimages needed for the conversion. Since only the 'active' preimages are exported, the output is shrunk from ~70GB to ~4GB. The order of the output is the order used by the snapshot enumeration, which avoids database thrashing. However, it also means that storage-slot preimages are not deduplicated. * cmd/geth: fix build error (ethereum#28585) * cmd/devp2p/internal/ethtest: undo debug-hack (ethereum#28588) cmd/devp2p/internal/ethtest: remove a debug-hack flaw which prevented certain tests from running * params: update discV5 bootnodes (ethereum#28562) update discV5 bootnodes from https://github.com/eth-clients/eth2-networks/blob/master/shared/mainnet/bootstrap_nodes.txt * cmd, les, tests: remove light client code (ethereum#28586) * cmd, les, tests: remove light client code This commit removes the light client (LES) code. Since the merge the light client has been broken and it is hard to maintain it alongside the normal client. We decided it would be best to remove it for now and maybe rework and reintroduce it in the future. * cmd, eth: remove some more mentions of light mode * cmd: re-add flags and mark as deprecated * cmd: warn the user about deprecated flags * eth: better error message * eth, internal/ethapi: drop some weird indirection (ethereum#28597) * trie: fix random test generator early terminate (ethereum#28590) This change fixes a minor bug in the `randTest.Generate` function, which caused the `quick.Check` to be a no-op. * eth/gasestimator, internal/ethapi: move gas estimator out of rpc (ethereum#28600) * go.mod: update uint256 to v1.2.4 (ethereum#28612) * eth/catalyst, eth/downloader: expose more sync information (ethereum#28584) This change exposes more information from sync module internally * light: remove package light(ethereum#28614) This changes removes the package 'light', which is currently unused. * cmd/evm, core/state: fix post-exec dump of state (statetests, blockchaintests) (ethereum#28504) There were several problems related to dumping state. - If a preimage was missing, even if we had set the `OnlyWithAddresses` to `false`, to export them anyway, the way the mapping was constructed (using `common.Address` as key) made the entries get lost anyway. Concerns both state- and blockchain tests. - Blockchain test execution was not configured to store preimages. This changes makes it so that the block test executor takes a callback, just like the state test executor already does. This callback can be used to examine the post-execution state, e.g. to aid debugging of test failures. * ethereum: remove TODO comment about subscription (ethereum#28609) * eth/tracers/js: fix type inconsistencies (ethereum#28488) This change fixes two type-inconsistencies in the JS tracer: - In most places we return byte arrays as a `Uint8Array` to the tracer. However it seems we missed doing the conversion for `ctx` fields which are passed to the tracer during `result`. They are passed as simple arrays. I think Uint8Arrays are more suitable and we should change this inconsistency. Note: this will be a breaking-change. But I believe the effect is small. If we look at our tracers we see that these fields (`ctx.from`, `ctx.to`, etc.) are used in 2 ways. Passed to `toHex` which takes both array or buffer. Or the length was measured which is the same for both types. - The `slice` taking in `int, int` params versus `memory.slice` taking `int64, int64` params. I suggest changing `slice` types to `int64`. This should have no effect almost in any case. * crypto/secp256k1: fix 32-bit tests when CGO_ENABLED=0 (ethereum#28602) * consensus: verify the nonexistence of shanghai- and cancun-specific header fields (ethereum#28605) * eth/gasestimator: allow slight estimation error in favor of less iterations (ethereum#28618) * eth/gasestimator: early exit for plain transfer and error allowance * core, eth/gasestimator: hard guess at a possible required gas * internal/ethapi: update estimation tests with the error ratio * eth/gasestimator: I hate you linter * graphql: fix gas estimation test --------- Co-authored-by: Oren <orenyomtov@users.noreply.github.com> * all: replace log15 with slog (ethereum#28187) This PR replaces Geth's logger package (a fork of [log15](https://github.com/inconshreveable/log15)) with an implementation using slog, a logging library included as part of the Go standard library as of Go1.21. Main changes are as follows: * removes any log handlers that were unused in the Geth codebase. * Json, logfmt, and terminal formatters are now slog handlers. * Verbosity level constants are changed to match slog constant values. Internal translation is done to make this opaque to the user and backwards compatible with existing `--verbosity` and `--vmodule` options. * `--log.backtraceat` and `--log.debug` are removed. The external-facing API is largely the same as the existing Geth logger. Logger method signatures remain unchanged. A small semantic difference is that a `Handler` can only be set once per `Logger` and not changed dynamically. This just means that a new logger must be instantiated every time the handler of the root logger is changed. ---- For users of the `go-ethereum/log` module. If you were using this module for your own project, you will need to change the initialization. If you previously did ```golang log.Root().SetHandler(log.LvlFilterHandler(log.LvlInfo, log.StreamHandler(os.Stderr, log.TerminalFormat(true)))) ``` You now instead need to do ```golang log.SetDefault(log.NewLogger(log.NewTerminalHandlerWithLevel(os.Stderr, log.LevelInfo, true))) ``` See more about reasoning here: ethereum#28558 (comment) * core/state: make stateobject.create selfcontain (ethereum#28459) * trie/triedb/hashdb: take lock around access to dirties cache (ethereum#28542) Add read locking of db lock around access to dirties cache in hashdb.Database to prevent data race versus hashdb.Database.dereference which can modify the dirities map by deleting an item. Fixes ethereum#28541 --------- Co-authored-by: Gary Rong <garyrong0905@gmail.com> * accounts/abi/bind: fix typo (ethereum#28630) * slog: faster and less memory-consumption (ethereum#28621) These changes improves the performance of the non-coloured terminal formatting, _quite a lot_. ``` name old time/op new time/op delta TerminalHandler-8 10.2µs ±15% 5.4µs ± 9% -47.02% (p=0.008 n=5+5) name old alloc/op new alloc/op delta TerminalHandler-8 2.17kB ± 0% 0.40kB ± 0% -81.46% (p=0.008 n=5+5) name old allocs/op new allocs/op delta TerminalHandler-8 33.0 ± 0% 5.0 ± 0% -84.85% (p=0.008 n=5+5) ``` I tried to _somewhat_ organize the commits, but the it might still be a bit chaotic. Some core insights: - The function `terminalHandler.Handl` uses a mutex, and writes all output immediately to 'upstream'. Thus, it can reuse a scratch-buffer every time. - This buffer can be propagated internally, making all the internal formatters either write directly to it, - OR, make use of the `tmp := buf.AvailableBuffer()` in some cases, where a byte buffer "extra capacity" can be temporarily used. - The `slog` package uses `Attr` by value. It makes sense to minimize operating on them, since iterating / collecting into a new slice, iterating again etc causes copy-on-heap. Better to operate on them only once. - If we want to do padding, it's better to copy from a constant `space`-buffer than to invoke `bytes.Repeat` every single time. * eth/tracers: tx-level state in debug_traceCall (ethereum#28460) * cmd/evm: fix Env struct json tag (ethereum#28635) * accounts/abi/bind: fixed typos (ethereum#28634) * Update auth.go * Update backend.go * Update bind.go * Update bind_test.go * eth/fetcher: fix invalid tracking of received at time for block (ethereum#28637) eth/fetcher: fix invalid tracking of received at time * accounts: run tests in parallel (ethereum#28544) * eth/tracers/logger: make structlog/json-log stack hex again (ethereum#28628) * common/hexutil: define hex wrappers for uint256.Int * eth/tracers/logger: make structlog/json-log stack hex again * common/hexutil: goimports * log: remove lazy, remove unused interfaces, unexport methods (ethereum#28622) This change - Removes interface `log.Format`, - Removes method `log.FormatFunc`, - unexports `TerminalHandler.TerminalFormat` formatting methods (renamed to `TerminalHandler.format`) - removes the notion of `log.Lazy` values The lazy handler was useful in the old log package, since it could defer the evaluation of costly attributes until later in the log pipeline: thus, if the logging was done at 'Trace', we could skip evaluation if logging only was set to 'Info'. With the move to slog, this way of deferring evaluation is no longer needed, since slog introduced 'Enabled': the caller can thus do the evaluate-or-not decision at the callsite, which is much more straight-forward than dealing with lazy reflect-based evaluation. Also, lazy evaluation would not work with 'native' slog, as in, these two statements would be evaluated differently: ```golang log.Info("foo", "my lazy", lazyObj) slog.Info("foo", "my lazy", lazyObj) ``` * .github: use github actions to run 32-bit linux tests (ethereum#28549) use github actions to run 32-bit linux tests * ethdb/pebble: remove a dependency (ethereum#28627) The dependency was not really used anyway, so we can get rid of it. Co-authored-by: Felix Lange <fjl@twurst.com> * tests/fuzzers/bls12381: deactivate BLS fuzzer when CGO_ENABLED=0 (ethereum#28653) tests/fuzzers/bls12381: deactivate fuzzer when CGO_ENABLED=0 * build: upgrade -dlgo version to Go 1.21.5 (ethereum#28648) * rpc: fix ns/µs mismatch in metrics (ethereum#28649) The rpc/duration/all meter was in nanoseconds, the individual meter in microseconds. This PR changes it so both of them use nanoseconds. * cmd/evm: fix dump after state-test exec (ethereum#28650) The dump after state-test didn't work, the problem was an error, "Already committed", which was silently ignored. This change re-initialises the state, so the dumping works again. * beacon/light: add CommitteeChain (ethereum#27766) This change implements CommitteeChain which is a key component of the beacon light client. It is a passive data structure that can validate, hold and update a chain of beacon light sync committees and updates, starting from a checkpoint that proves the starting committee through a beacon block hash, header and corresponding state. Once synced to the current sync period, CommitteeChain can also validate signed beacon headers. * cmd/utils, eth: disallow invalid snap sync / snapshot flag combos (ethereum#28657) * eth: prevent startup in snap mode without snapshots * cmd/utils: try to fix bad flag combos wrt snap sync and snapshot generation * trie: remove inconsistent trie nodes during sync in path mode (ethereum#28595) This fixes a database corruption issue that could occur during state healing. When sync is aborted while certain modifications were already committed, and a reorg occurs, the database would contain incorrect trie nodes stored by path. These nodes need to detected/deleted in order to obtain a complete and fully correct state after state healing. --------- Co-authored-by: Felix Lange <fjl@twurst.com> * cmd/utils: fix HTTPHost, WSHost flag priority (ethereum#28669) Co-authored-by: Felix Lange <fjl@twurst.com> * eth/protocols/eth: fix typos in comments (ethereum#28652) * core/txpool : small cleanup refactors (ethereum#28654) * eth/fetcher, eth/gasestimator: fix typos in comments (ethereum#28675) * all: fix typos in comments (ethereum#28662) Co-authored-by: Felix Lange <fjl@twurst.com> * miner: eliminate the dead loop possibility for `newWorkLoop` and `mainLoop` (ethereum#28677) discard the intervalAdjust message if the channel is full * all: fix typos in comments (ethereum#28682) chore(core,eth):fix a couple of typos * p2p/discover: add liveness check in collectTableNodes (ethereum#28686) * p2p/discover: add liveness check in collectTableNodes * p2p/discover: fix test * p2p/discover: rename to appendLiveNodes * p2p/discover: add dedup logic back * p2p/discover: simplify * p2p/discover: fix issue found by test * internal/flags: add missing flag types for auto-env-var generation (ethereum#28692) Certain flags, such as `--rpc.txfeecap` currently do not have an env-var auto-generated for them. This change adds three missing cli flag types to the auto env-var helper function to fix this. * cmd/evm: default to mirror mainnet forks enabled (ethereum#28691) cmd/evm: default to using dev chain config (all mainnet HFs activated at block/timestamp 0 * cmd/evm, cmd/clef, cmd/bootnode: fix / unify logging (ethereum#28696) This change fixes a problem with our non-core binaries: evm, clef, bootnode. First of all, they failed to convert from legacy loglevels 1 to 5, to the new slog loglevels -4 to 4. Secondly, the logging was actually setup in the init phase, and then overridden in the main. This is not needed for evm, since it used the same flag name as the main geth verbosity. Better to let the flags/internal handle the logging init. * cmd/evm: t8n support custom tracers (ethereum#28557) This change implements ability for the `evm t8n` tool to use custom tracers; either 'native' golang tracers or javascript tracers. * params: release go-ethereum v1.13.6 stable * Fix build errors * Fix test-integration --------- Co-authored-by: Guillaume Ballet <3272758+gballet@users.noreply.github.com> Co-authored-by: Sina Mahmoodi <1591639+s1na@users.noreply.github.com> Co-authored-by: Martin Holst Swende <martin@swende.se> Co-authored-by: VM <112189277+sysvm@users.noreply.github.com> Co-authored-by: VM <arimas@foxmail.com> Co-authored-by: jwasinger <j-wasinger@hotmail.com> Co-authored-by: Zoro <40222601+BabyHalimao@users.noreply.github.com> Co-authored-by: Håvard Anda Estensen <haavard.ae@gmail.com> Co-authored-by: aliening <128203330+aliening@users.noreply.github.com> Co-authored-by: Halimao <1065621723@qq.com> Co-authored-by: danceratopz <danceratopz@gmail.com> Co-authored-by: levisyin <150114626+levisyin@users.noreply.github.com> Co-authored-by: jp-imx <109574657+jp-imx@users.noreply.github.com> Co-authored-by: rjl493456442 <garyrong0905@gmail.com> Co-authored-by: Haotian <51777534+tmelhao@users.noreply.github.com> Co-authored-by: haotian <haotian@haotiandeMacBook-Air.local> Co-authored-by: Marius van der Wijden <m.vanderwijden@live.de> Co-authored-by: Maciej Kulawik <10907694+magicxyyz@users.noreply.github.com> Co-authored-by: ucwong <ucwong@126.com> Co-authored-by: Mario Vega <marioevz@gmail.com> Co-authored-by: Delweng <delweng@gmail.com> Co-authored-by: Felix Lange <fjl@twurst.com> Co-authored-by: lightclient <lightclient@protonmail.com> Co-authored-by: Mikel Cortes <45786396+cortze@users.noreply.github.com> Co-authored-by: Péter Szilágyi <peterke@gmail.com> Co-authored-by: Ng Wei Han <47109095+weiihann@users.noreply.github.com> Co-authored-by: lightclient <14004106+lightclient@users.noreply.github.com> Co-authored-by: Shivam Sandbhor <shivam.sandbhor@gmail.com> Co-authored-by: Jakub Freebit <49676311+jakub-freebit@users.noreply.github.com> Co-authored-by: Oren <orenyomtov@users.noreply.github.com> Co-authored-by: BorkBorked <107079055+BorkBorked@users.noreply.github.com> Co-authored-by: ddl <dengdiliang@gmail.com> Co-authored-by: Manav Darji <manavdarji.india@gmail.com> Co-authored-by: Marius Kjærstad <sandakersmann@users.noreply.github.com> Co-authored-by: Felföldi Zsolt <zsfelfoldi@gmail.com> Co-authored-by: Ford <153042616+guerrierindien@users.noreply.github.com> Co-authored-by: Ursulafe <152976968+Ursulafe@users.noreply.github.com> Co-authored-by: Elias Rad <146735585+nnsW3@users.noreply.github.com> Co-authored-by: FletcherMan <fanciture@163.com> Co-authored-by: alex <152680487+bodhi-crypo@users.noreply.github.com> Co-authored-by: Sebastian Stammler <seb@oplabs.co>
This PR implements CommitteeChain which is a key component of the beacon light client. It is a passive data structure that can validate, hold and update a chain of beacon light sync committees and updates, starting from a checkpoint that proves the starting committee through a beacon block hash, header and corresponding state. Once synced to the current sync period, CommitteeChain can also validate signed beacon headers.