ChainDB: allow EBB with same block number as the immutable block #1625
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mrBliss
commented
Feb 11, 2020
There was a problem hiding this comment.
I still need to write a proper test for this. I have verified that this fixes the bug with a real node.
Potential testing approach: add WipeVolatileDB command to the ChainDB q-s-m tests. Partially wiping the VolatileDB or even truncating the ImmutableDB would be better but is much harder to accomplish because of implementation details.
| -- If we switch to PBFT for these tests, this case is not required anymore | ||
| -- TODO: We should not make assumptions about the underlying | ||
| -- ledger. We will fix this in | ||
| -- <https://github.com/input-output-hk/ouroboros-network/issues/1571> |
There was a problem hiding this comment.
This special case is gone without #1571. Unverified: maybe we only needed it to not ignore the EBB, but we still don't adopt EBBs immediately when adding them, only when their successor is added? If that's true, then PBFT would change that, but then it is not that important to make that change.
There was a problem hiding this comment.
Hang on, didn't we verify this? And it still failed? What am I getting confused with?
There was a problem hiding this comment.
(This will have a minor conflict with my PR I guess.)
Comment on lines
+102
to
+106
| instance ModelSupportsBlock TestBlock where | ||
| isEBB = const IsNotEBB |
There was a problem hiding this comment.
A bit annoying: this TestBlock lives in test-util, so it cant implement ModelSupportsBlock (test-consensus) itself, hence the orphans 😞.
edsko
approved these changes
Feb 12, 2020
| -- Exception: the block we're adding is the EBB with the same block | ||
| -- number as the immutable tip. This can only happen when the | ||
| -- VolatileDB was corrupted. | ||
| not (At (blockNo hdr) == immBlockNo && cdbIsEBB hdr == IsEBB) -> |
There was a problem hiding this comment.
Should we introduce an olderThanK predicate, document it with this comment, and then use that here and above rather than duplicate this logic?
| -- If we switch to PBFT for these tests, this case is not required anymore | ||
| -- TODO: We should not make assumptions about the underlying | ||
| -- ledger. We will fix this in | ||
| -- <https://github.com/input-output-hk/ouroboros-network/issues/1571> |
There was a problem hiding this comment.
Hang on, didn't we verify this? And it still failed? What am I getting confused with?
| => NodeConfig (BlockProtocol blk) | ||
| -> blk | ||
| -> Model blk -> Model blk | ||
| addBlock cfg blk m | ||
| -- If the block is as old as the tip of the ImmutableDB, i.e. older than | ||
| -- @k@, we ignore it, as we can never switch to it. TODO what about EBBs? |
| -- If we switch to PBFT for these tests, this case is not required anymore | ||
| -- TODO: We should not make assumptions about the underlying | ||
| -- ledger. We will fix this in | ||
| -- <https://github.com/input-output-hk/ouroboros-network/issues/1571> |
There was a problem hiding this comment.
(This will have a minor conflict with my PR I guess.)
| , not addingGenesisEBBToEmptyDB | ||
| -- @k@, we ignore it, as we can never switch to it. | ||
| | At (Block.blockNo blk) <= immBlockNo | ||
| , not (At (Block.blockNo blk) == immBlockNo && isEBB (getHeader blk) == IsEBB) |
There was a problem hiding this comment.
So this is basically the same change from the real DB to the model.
There was a problem hiding this comment.
In my last version, I reuse the new function from .ChainSel in the model.
mrBliss
force-pushed
the
mrBliss/fix-1624
branch
from
aa1dc7a
to
2be600b
Compare
mrBliss
force-pushed
the
mrBliss/fix-1624
branch
from
2be600b
to
bade99b
Compare
|
I have created #1628 for testing this properly. Note that I have already verified it manually using |
intricate
approved these changes
Feb 12, 2020
|
bors r+ |
mrBliss
added a commit
that referenced
this pull request
Mar 24, 2020
To verify whether #1625 correctly fixed the bug found in #1624, I reverted the fix from #1625 in the real implementation (but not in the model), i.e.: ```diff modified ouroboros-consensus/src/Ouroboros/Consensus/Storage/ChainDB/Impl/ChainSel.hs @@ -224,7 +224,7 @@ addBlockSync cdb@CDB {..} BlockToAdd { blockToAdd = b, .. } = do -- ### Ignore if - | olderThanK hdr (cdbIsEBB hdr) immBlockNo -> do + | At (blockNo hdr) <= immBlockNo && blockNo hdr /= 0 -> trace $ IgnoreBlockOlderThanK (blockRealPoint b) deliverPromises curTip ``` and ran many ChainDB.StateMachine tests. Disappointingly, the tests never failed because of this bug (they did trigger a bug in the previous commit, though). After a long investigation, I discovered it was because the storage `TestBlock` uses BFT, and its `ConsensusProtocol` and `ValidateEnvelope` instances, which do not account for EBBs, *in conjunction with EBBs*. Many blocks (especially the first block or EBB) we generated that we thought were valid, were actually invalid because they didn't have the expected block number! As a consequence, we were not able to generate a scenario in which the bug manifested itself. The fix: * Use the `ModChainSel` combinator to override `compareCandidates` to be EBB-aware, like in PBFT. This approach is simpler than switching to PBFT entirely, as validation and other things are more complex in PBFT, and we want to keep the test block as simple as possible. * Override the `ValidateEnvelope` instance to be EBB-aware. Similar to Byron's instance, but where Byron *requires* the chain to start with an EBB with block number 0, we allow either such an EBB or a regular block with block number 1. With these changes, we can finally trigger the bug in <1000 tests, e.g., k = 2, chunk/epoch size irrelevant, EBBs allowed * Add and adopt regular block A fitting on genesis * Add and adopt regular block B fitting on A * Add and adopt regular block C fitting on B * Run background tasks: block A is copied to the ImmutableDB * Wipe the VolatileDB: A is now the immutable tip, B and C are gone * Add and adopt the EBB of the next epoch, fitting on A. This EBB will have the same block number as A. Before #1625, the EBB was ignored instead of adopted, with the fix it's not. Moreover, move the test config creation to the test block module.
mrBliss
added a commit
that referenced
this pull request
Mar 31, 2020
To verify whether #1625 correctly fixed the bug found in #1624, I reverted the fix from #1625 in the real implementation (but not in the model), i.e.: ```diff modified ouroboros-consensus/src/Ouroboros/Consensus/Storage/ChainDB/Impl/ChainSel.hs @@ -224,7 +224,7 @@ addBlockSync cdb@CDB {..} BlockToAdd { blockToAdd = b, .. } = do -- ### Ignore if - | olderThanK hdr (cdbIsEBB hdr) immBlockNo -> do + | At (blockNo hdr) <= immBlockNo && blockNo hdr /= 0 -> trace $ IgnoreBlockOlderThanK (blockRealPoint b) deliverPromises curTip ``` and ran many ChainDB.StateMachine tests. Disappointingly, the tests never failed because of this bug (they did trigger a bug in the previous commit, though). After a long investigation, I discovered it was because the storage `TestBlock` uses BFT, and its `ConsensusProtocol` and `ValidateEnvelope` instances, which do not account for EBBs, *in conjunction with EBBs*. Many blocks (especially the first block or EBB) we generated that we thought were valid, were actually invalid because they didn't have the expected block number! As a consequence, we were not able to generate a scenario in which the bug manifested itself. The fix: * Use the `ModChainSel` combinator to override `compareCandidates` to be EBB-aware, like in PBFT. This approach is simpler than switching to PBFT entirely, as validation and other things are more complex in PBFT, and we want to keep the test block as simple as possible. * Override the `ValidateEnvelope` instance to be EBB-aware. Similar to Byron's instance, but where Byron *requires* the chain to start with an EBB with block number 0, we allow either such an EBB or a regular block with block number 1. With these changes, we can finally trigger the bug in <1000 tests, e.g., k = 2, chunk/epoch size irrelevant, EBBs allowed * Add and adopt regular block A fitting on genesis * Add and adopt regular block B fitting on A * Add and adopt regular block C fitting on B * Run background tasks: block A is copied to the ImmutableDB * Wipe the VolatileDB: A is now the immutable tip, B and C are gone * Add and adopt the EBB of the next epoch, fitting on A. This EBB will have the same block number as A. Before #1625, the EBB was ignored instead of adopted, with the fix it's not. Moreover, move the test config creation to the test block module.
mrBliss
added a commit
that referenced
this pull request
Apr 1, 2020
To verify whether #1625 correctly fixed the bug found in #1624, I reverted the fix from #1625 in the real implementation (but not in the model), i.e.: ```diff modified ouroboros-consensus/src/Ouroboros/Consensus/Storage/ChainDB/Impl/ChainSel.hs @@ -224,7 +224,7 @@ addBlockSync cdb@CDB {..} BlockToAdd { blockToAdd = b, .. } = do -- ### Ignore if - | olderThanK hdr (cdbIsEBB hdr) immBlockNo -> do + | At (blockNo hdr) <= immBlockNo && blockNo hdr /= 0 -> trace $ IgnoreBlockOlderThanK (blockRealPoint b) deliverPromises curTip ``` and ran many ChainDB.StateMachine tests. Disappointingly, the tests never failed because of this bug (they did trigger a bug in the previous commit, though). After a long investigation, I discovered it was because the storage `TestBlock` uses BFT, and its `ConsensusProtocol` and `ValidateEnvelope` instances, which do not account for EBBs, *in conjunction with EBBs*. Many blocks (especially the first block or EBB) we generated that we thought were valid, were actually invalid because they didn't have the expected block number! As a consequence, we were not able to generate a scenario in which the bug manifested itself. The fix: * Use the `ModChainSel` combinator to override `compareCandidates` to be EBB-aware, like in PBFT. This approach is simpler than switching to PBFT entirely, as validation and other things are more complex in PBFT, and we want to keep the test block as simple as possible. * Override the `ValidateEnvelope` instance to be EBB-aware. Similar to Byron's instance, but where Byron *requires* the chain to start with an EBB with block number 0, we allow either such an EBB or a regular block with block number 1. With these changes, we can finally trigger the bug in <1000 tests, e.g., k = 2, chunk/epoch size irrelevant, EBBs allowed * Add and adopt regular block A fitting on genesis * Add and adopt regular block B fitting on A * Add and adopt regular block C fitting on B * Run background tasks: block A is copied to the ImmutableDB * Wipe the VolatileDB: A is now the immutable tip, B and C are gone * Add and adopt the EBB of the next epoch, fitting on A. This EBB will have the same block number as A. Before #1625, the EBB was ignored instead of adopted, with the fix it's not. Moreover, move the test config creation to the test block module.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #1624.