Adds Prepared Certificates to ensure Istanbul liveness #366
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 30 commits
May 13, 2019 13:36
added 3 commits
September 5, 2019 15:48
Edge case where prepared view could be round 0, but the prepared certificate would never be recorded as the largest prepared certificate seen in the round change certificate.
asaj
reviewed
Sep 6, 2019
consensus/istanbul/core/request.go
Outdated
| @@ -33,8 +41,9 @@ func (c *core) handleRequest(request *istanbul.Request) error { | |||
| logger.Trace("handleRequest", "number", request.Proposal.Number(), "hash", request.Proposal.Hash()) | |||
|
|
|||
| c.current.pendingRequest = request | |||
| if c.state == StateAcceptRequest { | |||
| c.sendPreprepare(request) | |||
| // Must go through startNewRound to send a proposal that matches the round change certificate if not on the first round. | |||
There was a problem hiding this comment.
In that case, maybe change the comment to Must go through startNewRound to send proposals for round > 0?
| } | ||
|
|
||
| // Verify ROUND CHANGE message is for a proper view | ||
| // TODO(joshua): May be able to relax to the proposal is >= than the round change message. |
There was a problem hiding this comment.
I still don't understand. Wouldn't the proposal need to be for the view that the round change certificate moves us to?
| if err := c.verifyPreparedCertificate(roundChange.PreparedCertificate); err != nil { | ||
| return err | ||
| } | ||
| // The prepared certificate with the highest round number carries the proposal we must use |
There was a problem hiding this comment.
Can you elaborate in the comment why the prepared certificate may have a previous view?
| } | ||
| // The prepared certificate with the highest round number carries the proposal we must use | ||
| preparedView := roundChange.PreparedCertificate.View() | ||
| if preparedView != nil && preparedView.Round.Cmp(maxRound) > 0 { |
There was a problem hiding this comment.
What happens if the prepared certificate has a later view than the round change messages?
There was a problem hiding this comment.
Good catch. My feeling is that we should reject the round change certificate for having an invalid round change message. I'd probably also need to change handleRoundChange to verify the prepared certificate view against the round change message view.
added 12 commits
September 6, 2019 09:57
Longer name, but more accurate.
This builds a logger with the current sequence, round, and state.
Explains why we need to use the proposal from the prepared certificate with the largest round number.
Reject RC messages where the prepared view is greater than the proposal view.
trianglesphere
commented
Sep 6, 2019
added 2 commits
September 6, 2019 11:25
Reading through CalcProposer and LastProposal, the last proposer is the proposer of the last block, and calc proposer does not rely on the current proposer, thus I think it's fine if there is a large jump in round number in this function.
asaj
approved these changes
Sep 6, 2019
There was a problem hiding this comment.
Wow, this is a big one, nice work 👍
Please wait until @timmoreton or @kevjue finish reviewing before merging
| @@ -96,6 +95,21 @@ type core struct { | |||
| consensusTimer metrics.Timer | |||
| } | |||
|
|
|||
| // Appends the current view and state to the given context. | |||
| func (c *core) NewLogger(ctx ...interface{}) log.Logger { | |||
| c.sendCommitForOldBlock(preprepare.View, preprepare.Proposal.Hash()) | ||
| return nil | ||
| } | ||
| } | ||
| // Already in the next round b/c handleRoundChangeCertificate moves us to the next round. |
There was a problem hiding this comment.
Hmm okay I think I was just confused by the comment, consider making it more verbose/explicit
|
@timmoreton @asaj Are you ready yet? |
kevjue
added a commit
that referenced
this pull request
Sep 24, 2019
* Add precompiles to access validator set (#441) * set max gas to double of the charged gas for the 'intrinsic' smart contract calls (#472) * set max gas to double of the charged gas for the 'intrinsic' evm operations * addressed PR comments * addressed pr comment * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2
kevjue
added a commit
that referenced
this pull request
Sep 25, 2019
* contract_comm/currency/currency.go * fixed the txn price-sorted min-heap * merge master (#490) * Add precompiles to access validator set (#441) * set max gas to double of the charged gas for the 'intrinsic' smart contract calls (#472) * set max gas to double of the charged gas for the 'intrinsic' evm operations * addressed PR comments * addressed pr comment * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2
kevjue
added a commit
that referenced
this pull request
Sep 25, 2019
* added new option --use-in-memory-discovery-table * merge master (#489) * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2
kevjue
added a commit
that referenced
this pull request
Sep 25, 2019
* Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * tx price heap fix (#471) * contract_comm/currency/currency.go * fixed the txn price-sorted min-heap * merge master (#490) * Add precompiles to access validator set (#441) * set max gas to double of the charged gas for the 'intrinsic' smart contract calls (#472) * set max gas to double of the charged gas for the 'intrinsic' evm operations * addressed PR comments * addressed pr comment * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * added new option --use-in-memory-discovery-table (#479) * added new option --use-in-memory-discovery-table * merge master (#489) * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * Allow v4/v5 on a bootnode simultaneously, allow mobile to use discv5 (#454) * changes for isolating celo networks * changes to get unit tests working * changes to add salt in the discovery packets * removed checking for the ip address when handling a reply * added ping-ip-from-packet option to bootnode * for handling expected replies, don't filter on expected sender ip address if --pingIPFromPacket is used * Add v4 flag * Add unhandled and quicken docker builds * Add salt & logs * Add v4 flag * Add PeerDiscovery to mobile node config * Remove logs * Remove hardcoded bootnodes * Add salt & turn on discv5 * Delete hardcoded eth bootnodes * Make Discoveryv5 configurable * Lint * Add comment to bootnode v4/v5 handling * Change PeerDiscovery -> NoDiscovery * Remove mobile geth no discovery * Reduce istanbul default timeout, cap exp backoff (#475) * Reduce istanbul default timeout, cap exp backoff * Ensure round 0 timeout factors in block period * Sanitize logs (#495) * Change registry lookup and infrastructure lookup error logs to debug level * Sanitize logs regarding registry deployment * Change empty abi logging and comment * Lower log level from error to warning for potentially outdated istanbul messages * Change back to an error message * Add input length checks for precompiled contracts (#476) * add input length checks * check exact input length. add a new error for input length. check input in a few more places * add tests that verify the input-length checks for contracts that don't require an evm instance * fix formatting * add comments to explain input length checks * run the formatter * e2e transfer test was failing because it passes in a transaction options object, making the input larger than 96 bytes * e2e tests have revealed that our precompiled contracts need to be tolerant of inputs that are longer than the bytes that are actually read
kevjue
pushed a commit
that referenced
this pull request
Sep 26, 2019
* Log on ValidatorElections * merge master (#496) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * tx price heap fix (#471) * contract_comm/currency/currency.go * fixed the txn price-sorted min-heap * merge master (#490) * Add precompiles to access validator set (#441) * set max gas to double of the charged gas for the 'intrinsic' smart contract calls (#472) * set max gas to double of the charged gas for the 'intrinsic' evm operations * addressed PR comments * addressed pr comment * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * added new option --use-in-memory-discovery-table (#479) * added new option --use-in-memory-discovery-table * merge master (#489) * Adds Prepared Certificates to ensure Istanbul liveness (#366) * Check message address against signature (#477) * Check signing validator's address matches msg address * Add comments about use of sig data in tests * Try fix Circle build test failures * Try fix Circle build test failures, take 2 * Allow v4/v5 on a bootnode simultaneously, allow mobile to use discv5 (#454) * changes for isolating celo networks * changes to get unit tests working * changes to add salt in the discovery packets * removed checking for the ip address when handling a reply * added ping-ip-from-packet option to bootnode * for handling expected replies, don't filter on expected sender ip address if --pingIPFromPacket is used * Add v4 flag * Add unhandled and quicken docker builds * Add salt & logs * Add v4 flag * Add PeerDiscovery to mobile node config * Remove logs * Remove hardcoded bootnodes * Add salt & turn on discv5 * Delete hardcoded eth bootnodes * Make Discoveryv5 configurable * Lint * Add comment to bootnode v4/v5 handling * Change PeerDiscovery -> NoDiscovery * Remove mobile geth no discovery * Reduce istanbul default timeout, cap exp backoff (#475) * Reduce istanbul default timeout, cap exp backoff * Ensure round 0 timeout factors in block period * Sanitize logs (#495) * Change registry lookup and infrastructure lookup error logs to debug level * Sanitize logs regarding registry deployment * Change empty abi logging and comment * Lower log level from error to warning for potentially outdated istanbul messages * Change back to an error message * Add input length checks for precompiled contracts (#476) * add input length checks * check exact input length. add a new error for input length. check input in a few more places * add tests that verify the input-length checks for contracts that don't require an evm instance * fix formatting * add comments to explain input length checks * run the formatter * e2e transfer test was failing because it passes in a transaction options object, making the input larger than 96 bytes * e2e tests have revealed that our precompiled contracts need to be tolerant of inputs that are longer than the bytes that are actually read
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR removes the locking mechanism in IBFT and adds:
In addition, this overhauls the round change logic:
timeoutorf+1round change messages, transition toStateWaitingForNewRoundand if the new desired round (one past the timeout round or the RC message view), it will set the new desired round, send a round change message for the desired round, set a timeout for the desired round. (All these actions done incore.waitForDesiredRound)quorum RC messagesor around change certificatewhere the round associated with the messages is >= desired round, start a new round at the desired round and proceed with the normal consensus protocol.This addresses a bug in which F nodes could lock onto block A, while 2F nodes could lock onto block B, causing a permanent loss of liveness.
This PR also changes how the randomness source is verified to fix an issues with validators correctly re-proposing blocks.
Tested
Unit tests in consensus pass.
Testnets for old versions were working, going to spin up a testnet with latest.
Testing Changes:
actually do.
TestCommitsBlockAfterRoundChangeandTestPreparedCertificatePersistsThroughRoundChangebecause prepared certificates are generated, but no single node has committed, so it is fine to commit a different block than the original block from validator 0 as long as there is not a fork.Other changes
src instanbul.Validatorfrom being passed around endlesslycore.currentisnilinstartNewRoundand not in the message handlers, but I still includednilchecks there.Related issues
Backwards compatibility
No.