New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify incoming TransmissionResponse
s
#3083
Conversation
I believe this risks OOMing the validator. I know of two paths where we request transmissions:
We could receive many pings in parallel, and a single For pings I'd imagine it would be better to follow the path of For |
@@ -363,7 +363,7 @@ impl<N: Network> Worker<N> { | |||
self.spawn(async move { | |||
while let Some((peer_ip, transmission_response)) = rx_transmission_response.recv().await { | |||
// Process the transmission response. | |||
self_.finish_transmission_request(peer_ip, transmission_response); | |||
self_.finish_transmission_request(peer_ip, transmission_response).await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to process the transmission response entries in the order they arrive? if not, we could spawn tasks that performs this action, in order to be able to perform multiple of them concurrently
@@ -182,16 +182,13 @@ impl<N: Network, C: ConsensusStorage<N>> LedgerService<N> for CoreLedgerService< | |||
(TransmissionID::Transaction(expected_transaction_id), Transmission::Transaction(transaction_data)) => { | |||
match transaction_data.clone().deserialize_blocking() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not ideal that we do blocking deserialization in an async
context; we should either do it before calling check_transaction_basic
(with a deserialized transaction), or use a blocking task here
@@ -201,16 +198,13 @@ impl<N: Network, C: ConsensusStorage<N>> LedgerService<N> for CoreLedgerService< | |||
(TransmissionID::Solution(expected_commitment), Transmission::Solution(solution_data)) => { | |||
match solution_data.clone().deserialize_blocking() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few comments; LGTM in general, but there are some performance considerations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check_transmission_basic
is too strict for all TransmissionResponse
. It will cause liveness issues. For example, it's common that a valid Certificate
contains a transaction that tries to consume a serial number that is already consumed. With this patch, the validator will fail to sync the transaction and thus will fail to fetch the Certificate
.
The validator should perform some more basic checks (e.g. exclude Fee transaction, invalid format) before signing BatchPropose
. It should not reject the transaction if already included in a Certificate
.
Co-authored-by: ljedrz <ljedrz@users.noreply.github.com> Signed-off-by: Raymond Chu <14917648+raychu86@users.noreply.github.com>
@randomsleep can you elaborate?
This sounds like something which should be invalid.
This PR introduces calling |
I believe @randomsleep might be correct that we may not need to verify the transmissions in the BatchCertificate, because it may prevent us from syncing certificates that are included in a subsequent subdag. Perhaps these transactions/double-spends were going to be aborted in the block; instead, we forcefully ignore ignore transmissions which prevents us from syncing up with the certificate. The validator would then get stuck until is starts syncing via blocks. Definitely needs more thought. However, we definitely do need to verify the transmissions from the proposals. |
Yes, @raychu86 have explained. However, while checking 'BatchPropose', we should also allow duplicated transactions. This is because at the time some validarors may have committed some transactions but others haven't. |
My thoughts on transaction checking rules:
|
This should be replaced by AleoNet/snarkVM#2376 and #3104. |
Motivation
This PR performs transmission verification when processing transmissions from
TransmissionResponse
s. Previously we were blindly accepting them into the batch, which could lead to possible halting cases, where malicious nodes inject faulty transactions.This should fix:
#2990
#2991