feat: chainstore: FRC-0051: Remove all equivocated blocks from tipsets

[arajasek]

Related Issues

#10793

Proposed Changes

As discussed in #10793, we now reject ALL blocks with the same miner and same height (irrespective of other details like common parents, common ticket, etc.). Further, when asked to consider taking a new tipset as head, we first refresh our heaviest tipset in order to check whether it's weight has DECREASED as a result of equivocation.

This PR also refactors / simplifies much of the "taking heavier tipset" logic. We now simply:

• PersistTipsets as we receive them, which also writes the tipset keys to the blockstore
• AddToTipsetTracker as we validate tipsets (blocks)
• When a new "head" is synced to / new block comes in, we simply notify the chainstore of its existence by calling RefreshHeaviestTipSet with the height of the new tipset.
• RefreshHeaviestTipSet works by:
  • Forming the best tipset at its CURRENT head's height -- if this best tipset is LIGHTER, we immediately take it as our new head, since that implies equivocation
  • Forming the best tipset at the input height (assuming different from height in previous step)
  • taking the heaviest of these tipsets as new head

Additional Info

Checklist

Before you mark the PR ready for review, please make sure that:

• Commits have a clear commit message.
• PR title is in the form of of <PR type>: <area>: <change being made>
  • example: fix: mempool: Introduce a cache for valid signatures
  • PR type: fix, feat, build, chore, ci, docs, perf, refactor, revert, style, test
  • area, e.g. api, chain, state, market, mempool, multisig, networking, paych, proving, sealing, wallet, deps
• New features have usage guidelines and / or documentation updates in
  • Lotus Documentation
  • Discussion Tutorials
• Tests exist for new functionality or change in behavior
• CI is green

[arajasek]

Exported for testing.

[arajasek]

We could ALSO drop the blocks from cs.tipsets entirely if we wanted to. I'm not sure this is the best thing to do, though, since that tracker is currently split between the "writer" method AddToTipsetTracker and the "reader" method ExpandTipset.

[Stebalien]

I'd leave them so we can detect new ones.

[Stebalien]

I'd leave them so we can detect new ones.

[Stebalien]

nit: I'd just collect all these blocks into a miner -> block map, then put them into an array at the very end.

[arajasek]

Not strictly necessary since we do this in PutTipSet too, but doesn't seem harmful to do for tests.

[guy-goren]

I left comments (mostly nitpicks) and questions. Be aware that I'm neither a proficient coder nor am I familiar with this code base (hence, possibly trivial questions).
My two main comments are:

• I think that conceptually it's better to consider a winning ticket rather than the proposing miner. Is there an implementation reason for considering the miner?
• If we don't keep the equivocating blocks (or just their cids), we may run into future trouble when we'd like to prove the miner's bad behavior (i.e., create an irrefutable proof of misbehavior).

[guy-goren]

If you delete h.Miner from the inclMiners, then wouldn't the next block from the equivocating miner (e.g., the 3rd block with the same winning ticket) gets included?
If this is not the case (because badMiners is used for that), then what's the benefit of badMiners instead of just looking in inclMiners again? (Seems inefficient.)

[guy-goren]

I think it's better to reject based on the same ticket rather than the same miner.

[guy-goren]

Are these blocks from a SINGLE tipset at that height or can these contain blocks from different tipsets with the same height (possible forks)?

[guy-goren]

Is parntTipsets a single tipset or could there be multiple parent tipsets?

[guy-goren]

Extending on a previous comment.
Personally, I find it confusing the use of included miners instead of included blocks (winning tickets). Currently there's a 1-1 relation between the two, but who's to say that this relation will remain in the future? Maybe there would be an implementation where a "very lucky" miner gets to include more blocks in a single tipset?
There's probably nothing you can do with it here, but maybe you have a reason that I failed to understand.

[arajasek]

I'm tempted to just use the new FormBestTipSetForHeight method here as well, and drop ExpandTipsetByHeightAndParent entirely.

[Stebalien]

Any reason not to?

[arajasek]

It's a bit slower, but I think I'd prefer doing it anyway

[Stebalien]

Some initial comments but I want to walk through this together tomorrow.

[Stebalien]

Can we persist inside AddToTipSetTracker? Or do it first?

[arajasek]

I think the right sequence of steps is:

• Persist, when you receive a block of interest
• Track, when you actually validate it
• Assume in "PutTipSet" that Persisting and Tracking has already happened

I'm gonna implement that and state the assumption for now.

[Stebalien]

Any reason not to?

[Stebalien]

This should not be exported.

[arajasek]

Only exported for tests, which need to be in a separate package (since they depend on the chain generator, which depends on the chainstore...)

[Stebalien]

Ugh.... ok.

[Stebalien]

nit: FormHeaviestTipSetForHeight?

[Stebalien]

can we unexport this method?

[Stebalien]

and may be call it informNewTipSet?

[Stebalien]

Basically, make it clear that we're telling the system "hey, we have this new tipset", maybe take it, maybe take something entirely different!

[Stebalien]

Needs lots of comments.

[Stebalien]

Still needs some comments explaining why.

[Stebalien]

nits, but this looks correct

[Stebalien]

1. Can we document why it's a lie?
2. Can we add a 🍰 emoji?

[Stebalien]

nit: it would be nice if this just handled writing blocks internally, but I guess that's probably not critical right now?

[arajasek]

Yeah, not critical I think. Also not super easy to do, because we want to be batching those writes, and this method tracks things one block at a time.

[Stebalien]

Hm... for genesis, are we sure any of this is right? Shouldn't we force replace everything? Like:

1. Discard all tipsets.
2. Replace the first tipset.
3. Move on?

Otherwise, e.g., the metadataDs.Put line below could do the wrong thing.

(not like this is likely to cause issues, but it's still a bit funky)

[arajasek]

I think you're right, but I was going for matching existing behaviour here, which this should do?

[Stebalien]

Yeah, you're right.

[Stebalien]

Let's just keep a list of TODOs, merge this, then we can make followup PRs (if/when we get time).

[Stebalien]

Still needs some comments explaining why.

[Stebalien]

I'm not sure how this is possible? If we refresh at a different height, shouldn't we have picked the heaviest tipset at that height?

[arajasek]

No, not necessarily. We'll only refresh at different heights if there was equivocation. Basically, assume current height heaviestHeight is 10, and we were informed about newTsHeight of 11.

• We refresh by finding the heaviest tipset at 10
• If the "refreshed" tipset at 10 is not lighter than our current heaviest tipset at 10, we'll just move on
• At that point, we hit this line, and decide we should form the heaviest tipset at height 11, and compare the two.

(If the "refreshed" tipset WAS lighter, though, then yes we would likely form a heavier tipset at 11, and immediately take that as our head, in which case we'd short-circuit here)

[Stebalien]

I think I understand?

[arajasek]

Let's talk through tomorrow, but I'm pretty sure it's correct.

[Stebalien]

This looks correct and probably "fast enough". But I'd like to poke at making it faster in the future by pre-grouping by height, etc.

[Stebalien]

I think I understand?

[Stebalien]

Ok, actually. I'm sorry, but I'm going to need to do this: is there any way to write a simple equivocation test?

[arajasek]

Ok, actually. I'm sorry, but I'm going to need to do this: is there any way to write a simple equivocation test?

That's at least kiiinda what this test is intended to be. Definitely others that could be written, though...

[Stebalien]

(but it would be nice to get one that tests switching away from a tipset)

[arajasek]

@Stebalien Added more in latest commit, please suggest more if you think of them -- we need to get this right.

[Stebalien]

Well, the tests I'd like are:

1. We switch tipsets at the current height (needs multiple tipsets with different parents).
2. We switch to a different height because we lose all the blocks in the tipset.
3. And maybe some kind of validation that we don't crash with too many null blocks in case 2?

[arajasek]

@Stebalien Thanks, all good ideas. I've added all 3 cases in latest commit, please take a look.

[Stebalien]

LGTM!