Rewrite Task of listening Stellar Messages

[b-yap]

Summary

We need to fix the vaults from getting unknowingly stuck, potentially caused by running unhandled zombie tasks.

One idea is to include the polling of the stellar messages:

spacewalk/clients/vault/src/oracle/agent.rs

Lines 100 to 104 in 7c79898

	match overlay_conn.listen() {
	Ok(Some(msg)) => {
	let msg_as_str = to_base64_xdr_string(&msg);
	if let Err(e) =
	handle_message(msg, collector_clone.clone(), &sender_clone).await

in the monitoring:

spacewalk/clients/vault/src/system.rs

Lines 806 to 817 in 7c79898

	let tasks = self.create_tasks(
	startup_height,
	account_id,
	is_public_network,
	vault_public_key,
	oracle_agent,
	issue_map,
	ledger_env_map,
	memos_to_issue_ids,
	)?;
	run_and_monitor_tasks(self.shutdown.clone(), tasks).await

This means updating the OracleAgent's message_sender is delayed; passing the OracleAgent to tasks must be mutable; hence using Arc<RwLock<>> instead of Arc<> alone.

But we cannot have these current tasks STARTING TOGETHER WITH the polling task. The Stellar-overlay has to run already, and all open requests MUST finish first.

spacewalk/clients/vault/src/system.rs

Lines 787 to 790 in 7c79898

	self.create_oracle_agent(is_public_network, self.shutdown.clone()).await?;
	self.agent = Some(oracle_agent.clone());
	self.execute_open_requests(oracle_agent.clone());

An idea is to introduce another variant of the ServiceTask, where it waits for something to finish before a task starts. Prechecking will be required.

enum ServiceTask {
	...
	// Runs a task after a prequisite check has passed.
	PrecheckRequired(Task),
}

And to make sure the stellar-overlay and the client are communicating well, stellar-overlay will also send to client the:

• hello message - useful to signal the client to prepare itself
• lib-related error - this way the client will not wait forever, if stellar-overlay has issues.

---

How to start reviewing:

stellar-relay-lib

• Reduce clones in any way possible
  • use pass-by-value instead, to avoid cloning references
    • from (&param) to (param)
  • reuse variables that were passed by reference
    • made obvious in message_reader.rs file
  • clone only the needed field, instead of the whole structure
• Return a lib-specific error and hello message
  • To signal the user (the agent) if the relay has started; and if the lib itself encountered a problem
• Reposition timeouts and yields wisely
• Let the user do the polling/looping

vault

• Removed err-derive dependency, and just use the existing thiserror dependency.
• Removed unused errors, like the RpcError
• tokio_spawn for naming tasks. This is only viable for tokio_unstable.
• Increase the event buffer capacity of the console-subscriber
• OracleAgent adjustment
  • Instead of Arc<OracleAgent>, it will be Arc<RwLock<OracleAgent>>
    • initializing the field message_sender is moved a bit later in the code; hence we need OracleAgent to be mutable.
• Listening for stellar messages will be monitored, alongside other tasks.
  • Every minute, a health check will be logged, to ensure messages coming from Overlay
  • When receiving hello message, flag the proof building.
    • Continue to log messages, until the first slot was saved. Afterwards, this flag is not needed anymore.
• proof_builder.rs
  • Build proof ONLY if it's ready (if a slot was saved, meaning the overlay is running)
• system.rs
  • Added another variant of ServiceTask; the PrecheckRequired
    • Executing open requests is required before running some tasks; once finished, these tasks will start.
      The following tasks need this precheck:
      * issue::listen_for_issue_requests
      * issue::listen_for_issue_cancels
      * issue::listen_for_executed_issues
      * CancellationScheduler for Issue
      * CancellationScheduler for Replace
      * listen_for_replace_requests
      * listen_for_accept_replace
      * active_block_listener

I will add relevant comments when necessary.

[b-yap]

start the thread ONLY if precheck is finished.

[ebma]

Should we add a form of timeout here so that it's easier to find tasks that never start because the precheck doesn't resolve?

[b-yap]

I forgot to reply to this..
I did not use a timeout, but the try_recv(); if it's not ready, then the loop will continue.
The loop ends until it is a success OR an error happens.

[b-yap]

reduce clones

[b-yap]

Consume hello

[b-yap]

instead of returning a "cloned" readbuf, reuse it.

[b-yap]

instead of sending back a cloned value, reuse the readbuf.

[b-yap]

Eliminate an all out clone of NodeInfoCfg. We only need to clone 1 field, the version_str

[b-yap]

reduce clone by consuming Hello

[b-yap]

Remove extra timeout. Timeouts can be triggered from inside the polling.

[b-yap]

allow naming tasks, if allow-debugger feature is on.

[ebma]

Do we need to add this check? Or can we just always use the builder pattern and in case the allow-debugger feature is not enabled, the name just wouldn't show?

[b-yap]

the builder only works for tokio unstable, unfortunately.

[b-yap]

We do not need this signal anymore; OverlayConnection already implements Drop trait.

[b-yap]

Renamed to listen_for_stellar_messages(...) to return nothing. This is an added task to be monitored in the tokio_metrics

[b-yap]

This is intentional, to keep logging every minute to show whether the vault is stuck or not.

[ebma]

Let's move the 60 to an extra constant variable instead of using a magic number. And let's increase it to something like 10 minutes. Otherwise the logs will get bloated quickly just by this health check.

[b-yap]

Removed tokio::select, since this task will close based on the run_and_monitor_task().

[b-yap]

This is unnecessary already; the Drop trait will handle dropping connections

[b-yap]

This is only for testing purposes

[b-yap]

proof building is ready; we do not need this flag/signal anymore.

[b-yap]

Moved this at the bottom of the file

[b-yap]

moved this at the top of the file

[b-yap]

We are now starting the StellarRelay inside the monitored tasks; NOT here/

[b-yap]

This github actions is using a deprecated set-output:

The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files.

Replaced with dtolnay

[ebma]

This is a great improvement, thanks a lot @b-yap! We need to adjust some of the log levels because some messages are a bit spammy for 'regular' vault operators.

Some experiments

I ran the amplitude USDC #1 vault locally to check the resource consumption with tokio-
console.

tokio-console after ~1.5 h (run #1)

CPU usage after ~1.5h: (84% is quite a lot.., almost a full single core of my system consumed by the vault)

---

After a while it seemed like tokio-console was not updating properly anymore so I was curious if tokio-console stopped working andI tried restarting it but it is not able to connect again. I tested if the vault is still operational by creating fresh issue and redeem requests against it and indeed, it was able to pick them up and complete them as expected. So maybe it's just some bug with tokio-console that makes it unable to connect after a while.

Unable to connect:

Proof that it's still able to process issue and redeem requests even though tokio-console shows blank:

---

To check the CPU usage, I then ran the vault a second time

CPU usage after 5 min:

We can see that in the beginning (before having received/processed any issue/redeem request) the % CPU is at ~2%- 3%.

I then ran the spacewalk-testing-service so created first 1 issue request and then 1 redeem request.

This increased the % CPU to ~5%

I kept monitoring this for about 10 minutes and from then on, the % CPU fluctuated between 4%-10%. It's hard to say this for sure but it might suggest that the resource consumption increases after an issue or redeem request is processed but stays more or less constant before.

After 20 minutes it stayed almost always above 10%..
tokio-console after 20 minutes:

I'll try to experiment with this again tomorrow. I still don't understand how the CPU consumption constantly increases over time. But at least we don't have any deadlocked tasks anymore and every task apparently properly yields. Which is a great improvement over what we had before.

[ebma]

Nit: let's expect() here

[ebma]

Suggested change

	tracing::info!("get_envelopes_from_horizon_archive(): Fetching SCP envelopes from horizon archive for slot {slot}...");
	tracing::debug!("get_envelopes_from_horizon_archive(): Fetching SCP envelopes from horizon archive for slot {slot}...");

[ebma]

Let's move the 60 to an extra constant variable instead of using a magic number. And let's increase it to something like 10 minutes. Otherwise the logs will get bloated quickly just by this health check.

[ebma]

Suggested change

	tracing::info!("get_txset(): FOR SLOT {slot} check_slot_still_recoverable_from_overlay: LAST SLOT INDEX: {}",self.last_slot_index());
	tracing::debug!("get_txset(): FOR SLOT {slot} check_slot_still_recoverable_from_overlay: LAST SLOT INDEX: {}",self.last_slot_index());

[ebma]

Suggested change

	tracing::info!("_get_envelopes(): FOR SLOT {slot} check_slot_still_recoverable_from_overlay: LAST SLOT INDEX: {}",self.last_slot_index());
	tracing::debug!("_get_envelopes(): FOR SLOT {slot} check_slot_still_recoverable_from_overlay: LAST SLOT INDEX: {}",self.last_slot_index());

[ebma]

Suggested change

	tracing::info!("get_proof(): attempt to build proof for slot {slot}");
	tracing::debug!("get_proof(): attempt to build proof for slot {slot}");

[gianfra-t]

So we are now doing await on this vs spawning in a new thread as before. This means if I understand correctly that build_proof will now wait here and the loop won't continue and call build_proof again. Why don't we need this behavior anymore now?

[b-yap]

Before tokio-console: when the vaults hang, the last logs are in build_proof section getting data from the archive.

I wanted to eliminate unnecessary tasks as possible, especially since these are not monitored at all. Should the original tokio::spawn(self.get_txset_from_horizon_archive(slot)); become a zombie, there is nothing to stop that task.

The time spent looping build_proof continuously while the map is empty
VS
The time spent waiting for the archive to fill the map

is just the same.

[gianfra-t]

I see! makes sense, in fact makes much more sense since get_txset_from_horizon_archive will return when the tx_set was found. But before we were potentially actually spawning many instances of get_txset_from_horizon_archive for the same slot, I thought maybe we needed several of these tasks, or that we needed to continue and return a proof with None set.

[ebma]

Sorry for leaving more comments yet again. I pointed out more logs that I think we should turn to the debug log level instead.

Besides that I encountered an error when running the vault locally. It happened on start

thread 'tokio-runtime-worker' panicked at clients/runtime/src/rpc.rs:296:49:
called `Result::unwrap()` on an `Err` value: Rpc(ClientError(MaxSlotsExceeded))

It's unrelated to the changes of this PR but @b-yap if it's not too complex, maybe you could try to replace all the unwrap() calls in clients/runtime/src/rpc.rs as part of this as well? 😬

---

I also want to share good news though. Further experiments I did locally showed that the CPU usage only piles up when running the vault with --features allow-debugger ie. support for debugging with tokio-console. Without that flag, the client's resource consumption remains quite low at ~1-4% when idling. Seems like the refactoring indeed fixed our bugs with tokio and we can be optimistic that these changes greatly improve the performance once live on production (without the debugging enabled).

[ebma]

I'm not sure I understand why we need this variable? Also, with Option it can now be three things, None, Some(true) and Some(false). As far as I can tell, we only check for Some(true) and never for None so it should be fine if we don't make it an Option type but a simple boolean as we apparently only need the two cases.

[ebma]

Nit: this is missing in the doc comment above.

[ebma]

Nit: make this and the other similar logs debug

[ebma]

Suggested change

	tracing::info!("listen_for_replace_requests(): started");
	tracing::debug!("listen_for_replace_requests(): started");

[ebma]

Suggested change

	let (precheck_signal, mut rceiver) = tokio::sync::broadcast::channel(1);
	let (precheck_signal, mut receiver) = tokio::sync::broadcast::channel(1);

[ebma]

I think this is problematic because we are again creating tasks that never yield, potentially causing issues for the scheduling of other tasks.

Suggested change

	Err(TryRecvError::Empty) =>
	tracing::trace!("wait_or_shutdown precheck signal: waiting..."),
	Err(TryRecvError::Empty) => {
	tracing::trace!("wait_or_shutdown precheck signal: waiting..."),
	sleep(Duration::from_millis(100)).await; // Yield to the runtime
	}

[gianfra-t]

Or we can use precheck_signal.recv().await? this one is async.

[b-yap]

await will not yield; it will potentially wait forever. I've yielded instead of the sleep.

[gianfra-t]

I think if the receiver precheck_signal has already consumed the message then next time calling recv().await, it will yield until a new one arrives. Or do you think there will always be a message in the broadcast channel?

This implementation is equivalent though. But with try_recv we do need to yield that's true.

[b-yap]

do you think there will always be a message in the broadcast channel?

It will only send 1 () message. See lines 335-337 in clients/vault/src/requests/execution.rs.

The first try was to use recv().await but the possibility of it waiting forever is there.

However.. we also cannot move forward with the task anyway, if the precheck (or the execute_open_requests) is not finished.
I also would not like to wrap the recv() in a timeout() because open requests might really take longer than the timeout we set. Also, a timeout is another thread; That's 8 tasks requiring prechecks, meaning 8 additional threads. (See Marcel's comment for the image of these tasks: Issue Cancel Listener, Issue Request Listener, etc.)

[b-yap]

Readability, reverting to recv().await would be better. I would add that back, but we have to risk it awaiting.
I think execute_open_requests() is reliable enough to be able to send the message fast.

[gianfra-t]

Super nice (and involved😅) refactor 💪! And I'm glad it solved the hanging and apparently also the high CPU usage issue. Thanks @b-yap for going back to my questions and comments.

[ebma]

Great that you found a way to get rid of the ArcRwLOck on the oracle agent, improves the readability a lot 🙏

[ebma]

Can we map this to an error instead of expecting or would that require a lot of refactoring?

[ebma]

I think we unfortunately cannot expect this to never fail, so it would be very good if we can handle this error gracefully.

[b-yap]

wrapped it inside Error::SubxtRuntimeError()

[b-yap]

@ebma @gianfra-t CI passed. Merging this.