ACP-77: Implement validator state

[StephenButtolph]

Why this should be merged

ACP-77 introduces a new type of validator: the SubnetOnlyValidator.

This PR introduces this new validator type to the P-chain state.

How this works

SubnetOnlyValidator

For the new SubnetOnlyValidator type, the validator can either be active (EndAccumulatedFee != 0) or inactive (EndAccumulatedFee == 0).

active validators are handled similarly to other validator types. They can be sampled during consensus, can contribute to block production, can contribute to ICM (Warp) messages, and are held in memory to efficiently perform these operations. To limit the memory pressure introduced by active validators, the number of active validators is limited.

Unlike active validators, inactive validators are not sampled during consensus, can not contribute to block production, and can not contribute to ICM (Warp) messages. This allows inactive validators to be removed from memory and only kept on disk. Each L1 will have an entry in their validator set representing the cumulative amount of inactive stake.

Removing a SubnetOnlyValidator is performed simply by setting their Weight to be 0.

State Modifications

The P-chain state is broken into 2 implementations:

1. The on-disk representation state
2. Potential changes to the on-disk representation diff

The typical flow for performing a change is:

1. Create a diff on top of either the state or another diff.
2. Apply the diff to the parent, either the state or another diff.
3. Atomically commit changes made to state to disk.

Contrary to prior validator implementations within the state package, this PR attempts to provide validation of the requested changes.

Returned errors from PutSubnetOnlyValidator should result in no changes to the state.

PutSubnetOnlyValidator succeeding should result in a valid state representation, regardless of the expected API behavior.

The only exception to this is documented with:

// If an SoV with the same validationID as a previously removed SoV is
// added, the behavior is undefined.

It is difficult to handle this case within the state without introducing non-deterministic error reporting because validationIDs are deleted from disk when the state is deleted. This means that the state code would need to handle all of the fields of an SoV to change on demand. However, that would require additional changes to the validator manager and other parts of the code (which make assumptions around ValidationID implying a static subnetID + nodeID pair).

The in-memory validator manager and historical validator set diffs are only updated during the atomic disk commitment changes.

How this was tested

Added unit tests.

Need to be documented in RELEASES.md?

Added P-chain configs:

• l1-weights-cache-size
• l1-inactive-validators-cache-size
• l1-subnet-id-node-id-cache-size

[ceyonur]

LGTM!
(I left a question for the caching in #3516 (comment))

[yacovm]

under what circumstance is it nothing? Both here and in general (line 196 in subnet_only_validator.go)

[StephenButtolph]

This cache stores hits as maybe.Some and misses as maybe.Nothing. So, if someone performs a delete or a get which results in not found, maybe.Nothing would be cached.

[yacovm]

this might seem as a weird question, but - how deep is the expected recursion here?

[StephenButtolph]

The recursion ends at the lastAcceptedState and starts at the most recently verified block, so typically the recursion is very shallow.

[yacovm]

can you explain the high level idea of doing this backwards traversal in search of the subnet, both here and in the next function?

We basically don't have a full snapshot of the validators in each state? Why is that?

[StephenButtolph]

Performing a full copy of the validator states for each diff would be pretty expensive. The number of changes per block is typically small, but the number total entries being tracked can be quite large.

[michaelkaplan13]

(No action needed) Aren't all validators always either active or inactive? Not sure I understand the purpose of the comment

[StephenButtolph]

This was supposed to signify that no deleted SoVs will be returned from this function (isDeleted() will always return false). Specifically, this is to ensure that !isActive() means inactive (and not deleted)

[darioush]

Suggested change

	// SubnetOnlyValidator with the given validationID. It is guaranteed that any
	// returned validator is either active or inactive.
	// returned validator is either active or inactive (not deleted).

[yacovm]

Playing devil's advocate here, we're iterating here over a map, and calling baseState.PutSubnetOnlyValidator which may return with different errors. This means that across different nodes, we may fail differently, no?

Is that a concern?

[StephenButtolph]

It is generally unexpected for Apply to ever error.

Apply is called during Accept. If Apply were to return an error, that error would be propagated through Accept into the consensus engine (causing a FATAL).

[yacovm]

is priorSOV.Weight == sov.Weight legal? what does it mean?

[StephenButtolph]

If the priorSOV.Weight is greater than sov.Weight, then the weight of the validator is being decreased by priorSOV.Weight - sov.Weight units

[yacovm]

no but i asked what it means when they're equal, I edited shortly after, probably github didn't refresh my comment

[StephenButtolph]

Ah. It is possible for them to be equal. In that case the weight does not need to be modified.

[cam-schultz]

nit: numParentActiveSOVs is more descriptive IMO

[richardpringle]

Or parentActiveSOVCount because a "count" is more descriptive than a "number" 😉

[StephenButtolph]

I ended up going with parentNumActiveSOVs.

Because it aligns most with the actual source of this: parentState.NumActiveSubnetOnlyValidators()

[cam-schultz]

A couple high level questions that may be related:

• What triggers a new diff to be created?
• Did you consider updating diffs in place, rather than the linked list style approach here?

[StephenButtolph]

Diffs are created for a few reasons. But the reason the diffs are designed this way is because each diff (can) represent the changes that are performed by a block. When a block is verified a diff is created. When a block is accepted a diff is applied to the disk state.

Diffs are updated in-place during the execution (verification) of a block - but we wouldn't want a child block to modify the state that will be committed when the parent block is accepted (as the child could be rejected for a different child)

[cam-schultz]

It's a bit odd to call out the error type here when that's not enforceable by the interface

[StephenButtolph]

I don't think this is particularly unusual... This is done in the standard lib as well. For an example, see SetDeadline here: https://pkg.go.dev/net#Conn

[cam-schultz]

A comment explaining that the default value is written to the map would be helpful. Or consider renaming to getOrAddDefault

[StephenButtolph]

did both

[cam-schultz]

What's the expected behavior of WeightOfSubnetOnlyValidators after the entry is deleted from the DB and the cache entry expires? If it's to error, perhaps we should not write to the cache so that WeightOfSubnetOnlyValidators deterministically errors for any subnets with weight 0.

[StephenButtolph]

WeightOfSubnetOnlyValidators calls database.WithDefault(database.GetUInt64, s.weightsDB, subnetID[:], 0) which will return 0 if the value is not on disk. So, WeightOfSubnetOnlyValidators deterministically returns 0 for any subnets with weight 0.

[darioush]

Suggested change

	// SubnetOnlyValidator with the given validationID. It is guaranteed that any
	// returned validator is either active or inactive.
	// returned validator is either active or inactive (not deleted).