chore: [MR-620] Keep extra in-memory states (#2061)

The is the first PR towards removing in-memory state more eagerly at
checkpointed heights.
Currently, in-memory state at the previous checkpoint height is kept
until the next CUP, roughly the whole checkpointing interval. We plan to
remove it more eagerly and only keep it until the current CUP.

Currently,`remove_inmemory_states_below` purges states based on the
certified height referenced in the finalized tip. As certified height
could go beyond the summary block height, we need to keep certain states
for several rounds more until the current CUP is created. Thus Consensus
needs to inform state manager of the extra heights to keep through a new
API .

This PR extends the interface, adds implementation and tests in state
manager.
Next, Consensus will use this API with proper arguments, i.e. filling in
all the heights required for CUP creation and validation, and run
end-to-end tests.
After these two PRs, we can proceed with removing in-memory states more
eagerly at checkpointing heights.

Author: ShuoWangNSL

rs/consensus/src/consensus/purger.rs

@@ -18,6 +18,7 @@
 //!
 //! 4. Replicated states below the certified height recorded in the block
 //!    in the latest CatchUpPackage can be purged.
+use super::{bounds::validated_pool_within_bounds, MINIMUM_CHAIN_LENGTH};
 use crate::consensus::metrics::PurgerMetrics;
 use ic_consensus_utils::pool_reader::PoolReader;
 use ic_interfaces::{
@@ -34,10 +35,9 @@ use ic_types::{
     replica_config::ReplicaConfig,
     Height,
 };
+use std::collections::BTreeSet;
 use std::{cell::RefCell, sync::Arc};
 
-use super::{bounds::validated_pool_within_bounds, MINIMUM_CHAIN_LENGTH};
-
 pub(crate) const VALIDATED_POOL_BOUNDS_CHECK_FREQUENCY: u64 = 10;
 
 /// The Purger sub-component.
@@ -324,7 +324,8 @@ impl Purger {
             .certified_height
             .min(self.state_manager.latest_state_height());
 
-        self.state_manager.remove_inmemory_states_below(height);
+        self.state_manager
+            .remove_inmemory_states_below(height, &BTreeSet::new());
         trace!(
             self.log,
             "Purge replicated states below [memory] {:?}",
@@ -502,7 +503,9 @@ mod tests {
             state_manager
                 .get_mut()
                 .expect_remove_inmemory_states_below()
-                .withf(move |height| *height == *inmemory_purge_height_clone.read().unwrap())
+                .withf(move |height, _extra_heights| {
+                    *height == *inmemory_purge_height_clone.read().unwrap()
+                })
                 .return_const(());
 
             state_manager

rs/interfaces/state_manager/mocks/src/lib.rs

@@ -48,7 +48,7 @@ mock! {
 
         fn remove_states_below(&self, height: Height);
 
-        fn remove_inmemory_states_below(&self, height: Height);
+        fn remove_inmemory_states_below(&self, height: Height, extra_heights_to_keep: &std::collections::BTreeSet<Height>);
 
         fn commit_and_certify(
             &self,

rs/interfaces/state_manager/src/lib.rs

@@ -1,10 +1,12 @@
 //! The state manager public interface.
+
 use ic_crypto_tree_hash::{LabeledTree, MixedHashTree};
 use ic_types::{
     batch::BatchSummary, consensus::certification::Certification, CryptoHashOfPartialState,
     CryptoHashOfState, Height,
 };
 use phantom_newtype::BitMask;
+use std::collections::BTreeSet;
 use std::sync::Arc;
 use thiserror::Error;
 
@@ -233,15 +235,20 @@ pub trait StateManager: StateReader {
     fn remove_states_below(&self, height: Height);
 
     /// Notify the state manager that states committed with partial certification
-    /// state and heights strictly less than specified `height` can be removed.
+    /// state and heights strictly less than the specified `height` can be removed, except
+    /// for any heights provided in `extra_heights_to_keep`, which will still be retained.
     ///
     /// Note that:
     ///  * The initial state (height = 0) cannot be removed.
     ///  * Some states matching the removal criteria might be kept alive.  For
     ///    example, the last fully persisted state might be preserved to
     ///    optimize future operations.
     ///  * No checkpoints are removed, see also `remove_states_below()`
-    fn remove_inmemory_states_below(&self, height: Height);
+    fn remove_inmemory_states_below(
+        &self,
+        height: Height,
+        extra_heights_to_keep: &BTreeSet<Height>,
+    );
 
     /// Commits the `state` at given `height`, limits the certification to
     /// `scope`. The `state` must be the mutable state obtained via a call to

rs/state_manager/src/lib.rs

@@ -2181,7 +2181,8 @@ impl StateManagerImpl {
             .expect("Failed to receive deallocation notification");
     }
 
-    /// Remove any inmemory state at height h with h < last_height_to_keep, and
+    /// Remove any inmemory state at height h with h < last_height_to_keep
+    /// except for any heights provided in `extra_inmemory_heights_to_keep`, and
     /// any checkpoint at height h < last_checkpoint_to_keep
     ///
     /// Shared inner function of the public functions remove_states_below
@@ -2190,6 +2191,7 @@ impl StateManagerImpl {
         &self,
         last_height_to_keep: Height,
         last_checkpoint_to_keep: Height,
+        extra_inmemory_heights_to_keep: &BTreeSet<Height>,
     ) {
         debug_assert!(
             last_height_to_keep >= last_checkpoint_to_keep,
@@ -2223,6 +2225,19 @@ impl StateManagerImpl {
                     state_metadata.bundled_manifest.as_ref().map(|_| *height)
                 });
 
+        // The `extra_inmemory_heights_to_keep` is used for preserving in-memory states,
+        // but it can safely be included in the `heights_to_keep` set, which retains both
+        // in-memory states and checkpoints. This is safe because:
+        //
+        // 1. When called by `remove_inmemory_states_below`, checkpoints are never removed,
+        //    regardless of the inclusion of `extra_inmemory_heights_to_keep`, so no harm
+        //    or unnecessary preservation occurs.
+        //
+        // 2. When called by `remove_states_below`, `extra_inmemory_heights_to_keep` is always
+        //    an empty set, having no effect on the outcome.
+        //
+        // In the future, separating these sets could clarify their distinct purposes and
+        // simplify reasoning about correctness without relying heavily on input behavior.
         let heights_to_keep: BTreeSet<Height> = states
             .states_metadata
             .keys()
@@ -2232,6 +2247,7 @@ impl StateManagerImpl {
             })
             .chain(std::iter::once(latest_certified_height))
             .chain(latest_manifest_height)
+            .chain(extra_inmemory_heights_to_keep.iter().copied())
             .collect();
 
         // Send object to deallocation thread if it has capacity.
@@ -2368,9 +2384,11 @@ impl StateManagerImpl {
 
             let state_heights = self.list_state_heights(CERT_ANY);
 
-            debug_assert!(heights_to_keep.iter().all(|h| unfiltered_checkpoint_heights
-                .contains(h)
-                || *h == latest_certified_height));
+            debug_assert!(heights_to_keep
+                .iter()
+                .all(|h| unfiltered_checkpoint_heights.contains(h)
+                    || extra_inmemory_heights_to_keep.contains(h)
+                    || *h == latest_certified_height));
 
             debug_assert!(state_heights.contains(&latest_state_height));
             debug_assert!(state_heights.contains(&latest_certified_height));
@@ -3298,7 +3316,12 @@ impl StateManager for StateManagerImpl {
                 .min(oldest_checkpoint_to_keep)
         };
 
-        self.remove_states_below_impl(oldest_height_to_keep, oldest_checkpoint_to_keep);
+        // The public interface does not protect extra states, so we pass an empty set here.
+        self.remove_states_below_impl(
+            oldest_height_to_keep,
+            oldest_checkpoint_to_keep,
+            &BTreeSet::new(),
+        );
     }
 
     /// Variant of `remove_states_below()` that only removes states committed with
@@ -3310,7 +3333,12 @@ impl StateManager for StateManagerImpl {
     /// * The latest state
     /// * The latest certified state
     /// * State 0
-    fn remove_inmemory_states_below(&self, requested_height: Height) {
+    /// * Specified extra heights to keep
+    fn remove_inmemory_states_below(
+        &self,
+        requested_height: Height,
+        extra_heights_to_keep: &BTreeSet<Height>,
+    ) {
         let _timer = self
             .metrics
             .api_call_duration
@@ -3323,7 +3351,11 @@ impl StateManager for StateManagerImpl {
             .min(requested_height)
             .max(Height::new(1));
 
-        self.remove_states_below_impl(oldest_height_to_keep, Self::INITIAL_STATE_HEIGHT);
+        self.remove_states_below_impl(
+            oldest_height_to_keep,
+            Self::INITIAL_STATE_HEIGHT,
+            extra_heights_to_keep,
+        );
     }
 
     fn commit_and_certify(

rs/state_manager/tests/state_manager.rs

@@ -71,7 +71,7 @@ use ic_types::{
     CanisterId, CryptoHashOfPartialState, CryptoHashOfState, Height, NodeId, NumBytes, PrincipalId,
 };
 use ic_types::{epoch_from_height, QueryStatsEpoch};
-use maplit::btreemap;
+use maplit::{btreemap, btreeset};
 use nix::sys::time::TimeValLike;
 use nix::sys::{
     stat::{utimensat, UtimensatFlags},
@@ -1434,7 +1434,7 @@ fn cannot_remove_height_zero() {
 
         state_manager.remove_states_below(height(0));
         state_manager.flush_deallocation_channel();
-        state_manager.remove_inmemory_states_below(height(0));
+        state_manager.remove_inmemory_states_below(height(0), &BTreeSet::new());
 
         assert_eq!(state_manager.list_state_heights(CERT_ANY), vec![height(0),],);
 
@@ -1448,7 +1448,7 @@ fn cannot_remove_height_zero() {
 
         state_manager.remove_states_below(height(0));
         state_manager.flush_deallocation_channel();
-        state_manager.remove_inmemory_states_below(height(0));
+        state_manager.remove_inmemory_states_below(height(0), &BTreeSet::new());
 
         assert_eq!(
             state_manager.list_state_heights(CERT_ANY),
@@ -1481,7 +1481,7 @@ fn cannot_remove_latest_height_or_checkpoint() {
         // checkpoint can be retained until the hashing is complete.
         state_manager.flush_tip_channel();
         state_manager.remove_states_below(height(20));
-        state_manager.remove_inmemory_states_below(height(20));
+        state_manager.remove_inmemory_states_below(height(20), &BTreeSet::new());
         state_manager.flush_deallocation_channel();
 
         assert_eq!(
@@ -1504,7 +1504,7 @@ fn cannot_remove_latest_height_or_checkpoint() {
 
         state_manager.flush_tip_channel();
         state_manager.remove_states_below(height(20));
-        state_manager.remove_inmemory_states_below(height(20));
+        state_manager.remove_inmemory_states_below(height(20), &BTreeSet::new());
         state_manager.flush_deallocation_channel();
 
         assert_eq!(
@@ -1539,7 +1539,7 @@ fn can_remove_checkpoints_and_noncheckpoints_separately() {
         state_manager.flush_tip_channel();
 
         assert_eq!(state_manager.list_state_heights(CERT_ANY), heights);
-        state_manager.remove_inmemory_states_below(height(6));
+        state_manager.remove_inmemory_states_below(height(6), &BTreeSet::new());
 
         // Only odd heights should have been removed
         assert_eq!(
@@ -1579,6 +1579,97 @@ fn can_remove_checkpoints_and_noncheckpoints_separately() {
     });
 }
 
+#[test]
+fn remove_inmemory_states_below_can_keep_extra_states() {
+    state_manager_restart_test(|state_manager, restart_fn| {
+        let mut heights = vec![height(0)];
+        for i in 1..10 {
+            let (_height, state) = state_manager.take_tip();
+            heights.push(height(i));
+
+            let scope = if i % 2 == 0 {
+                CertificationScope::Full
+            } else {
+                CertificationScope::Metadata
+            };
+
+            state_manager.commit_and_certify(state, height(i), scope.clone(), None);
+        }
+        // We need to wait for hashing to complete, otherwise the
+        // checkpoint can be retained until the hashing is complete.
+        state_manager.flush_tip_channel();
+
+        assert_eq!(state_manager.list_state_heights(CERT_ANY), heights);
+
+        state_manager.remove_inmemory_states_below(height(5), &btreeset![height(1), height(7)]);
+
+        // State at height 1 is kept because of it is included in `extra_heights_to_keep`.
+        // The additional protection on the state at height 7 has no effect since it is above the requested height.
+        assert_eq!(
+            state_manager.list_state_heights(CERT_ANY),
+            vec![
+                height(0),
+                height(1),
+                height(2),
+                height(4),
+                height(5),
+                height(6),
+                height(7),
+                height(8),
+                height(9)
+            ],
+        );
+
+        state_manager.remove_inmemory_states_below(height(9), &btreeset![height(7), height(8)]);
+
+        // State at height 7 is kept because of it is included in `extra_heights_to_keep`.
+        // The additional protection on the state at height 8 currently has no effect since it is a checkpoint.
+        // However, this may be subject to change in the future.
+        assert_eq!(
+            state_manager.list_state_heights(CERT_ANY),
+            vec![
+                height(0),
+                height(2),
+                height(4),
+                height(6),
+                height(7),
+                height(8),
+                height(9)
+            ],
+        );
+
+        state_manager.remove_inmemory_states_below(height(9), &BTreeSet::new());
+
+        // State at height 7 is removed.
+        assert_eq!(
+            state_manager.list_state_heights(CERT_ANY),
+            vec![
+                height(0),
+                height(2),
+                height(4),
+                height(6),
+                height(8),
+                height(9)
+            ],
+        );
+
+        state_manager.remove_states_below(height(8));
+        state_manager.flush_deallocation_channel();
+
+        assert_eq!(
+            state_manager.list_state_heights(CERT_ANY),
+            vec![height(0), height(8), height(9)],
+        );
+
+        let state_manager = restart_fn(state_manager, Some(height(8)));
+
+        assert_eq!(
+            state_manager.list_state_heights(CERT_ANY),
+            vec![height(0), height(8)],
+        );
+    });
+}
+
 #[test]
 fn can_keep_last_checkpoint_and_higher_states_after_removal() {
     state_manager_restart_test(|state_manager, restart_fn| {

rs/test_utilities/src/state_manager.rs

@@ -25,7 +25,7 @@ use ic_types::{
     CryptoHashOfPartialState, CryptoHashOfState, Height, RegistryVersion, SubnetId,
 };
 use serde::{Deserialize, Serialize};
-use std::collections::VecDeque;
+use std::collections::{BTreeSet, VecDeque};
 use std::sync::{Arc, Barrier, RwLock};
 
 #[derive(Clone)]
@@ -196,7 +196,11 @@ impl StateManager for FakeStateManager {
             .retain(|snap| snap.height == Height::new(0) || snap.height >= height)
     }
 
-    fn remove_inmemory_states_below(&self, _height: Height) {
+    fn remove_inmemory_states_below(
+        &self,
+        _height: Height,
+        _extra_heights_to_keep: &BTreeSet<Height>,
+    ) {
         // All heights are checkpoints
     }
 
@@ -666,11 +670,15 @@ impl StateManager for RefMockStateManager {
         self.mock.read().unwrap().remove_states_below(height)
     }
 
-    fn remove_inmemory_states_below(&self, height: Height) {
+    fn remove_inmemory_states_below(
+        &self,
+        height: Height,
+        extra_heights_to_keep: &BTreeSet<Height>,
+    ) {
         self.mock
             .read()
             .unwrap()
-            .remove_inmemory_states_below(height)
+            .remove_inmemory_states_below(height, extra_heights_to_keep)
     }
 
     fn commit_and_certify(