Skip to content

Drop spammable messages beyond max allowed lookahead rounds #258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
masih merged 1 commit into from
May 22, 2024
Merged

Drop spammable messages beyond max allowed lookahead rounds #258

masih merged 1 commit into from
May 22, 2024

Conversation

@masih
Copy link
Member

@masih masih commented May 21, 2024
edited
Loading

The gPBFT rebroadcast design revision introduced an improvement whereby "spammable" messages, i.e. COMMIT for bottom, for future rounds should be dropped by the participants. The specification leaves room for implementers to optionally retain some number of such messages to reduce reliance on the need for rebroadcast and ultimately help reach consensus in fewer rounds.

The work here:

  1. introduces WithMaxLookaheadRounds configuration option to gpbft package, defaulting to zero if unset.
  2. drops all spammable messages belonging to rounds that are beyond the configured max lookahead rounds.

A Spam adversary is introduced to replicate the conditions at which max lookahead rounds would start dropping messages. A set of tests then use the Spam adversary to assert that honest participants reach expected consensus despite the presence of spam messages.

Note that there are no APIs to assert that the upper lookahead bound is respected by the implementation. A TODO is left to revisit this once telemetry is introduced whereby tests can observe future message queue size metrics to assert a configured lookahead is indeed respected.

Resolves #240

@codecov-commenter
Copy link

codecov-commenter commented May 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 83.33333% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 71.91%. Comparing base (c7da7b0) to head (fbf4f9f).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #258      +/-   ##
==========================================
+ Coverage   71.66%   71.91%   +0.25%     
==========================================
  Files          31       32       +1     
  Lines        2333     2386      +53     
==========================================
+ Hits         1672     1716      +44     
- Misses        532      539       +7     
- Partials      129      131       +2
Files Coverage Δ
gpbft/gpbft.go 84.37% <100.00%> (+0.10%) ⬆️
gpbft/options.go 81.25% <100.00%> (+2.67%) ⬆️
sim/sim.go 76.69% <100.00%> (+0.69%) ⬆️
sim/adversary/spam.go 78.57% <78.57%> (ø)

@masih masih force-pushed the masih/rbrdcst-drp-spmbls branch from 396869b to fbf4f9f Compare May 21, 2024 11:45
@masih masih requested review from Kubuxu and anorth May 21, 2024 11:55
@masih masih marked this pull request as ready for review May 21, 2024 11:55
Kubuxu
Kubuxu reviewed May 21, 2024
View reviewed changes
anorth
anorth reviewed May 21, 2024
View reviewed changes
@anorth
Copy link
Member

anorth commented May 21, 2024

My comments are essentially nits so need not block you merging. I would appreciate you taking the time to explore whether a more robust predicate is possible, though.

@masih
Drop spammable messages beyond max allowed lookahead rounds
a5b82d3 
The gPBFT rebroadcast design revision introduced an improvement whereby
"spammable" messages, i.e. `COMMIT` for bottom, for future rounds should
be dropped by the participants. The specification leaves room for
implementers to optionally retain some number of such messages to
reduce reliance on the need for rebroadcast and ultimately help reach
consensus in fewer rounds.

The work here:
1. introduces `WithMaxLookaheadRounds` configuration option to `gpbft`
   package, defaulting to zero if unset.
2. drops all spammable messages belonging to rounds that are beyond the
   configured max lookahead rounds.

A `Spam` adversary is introduced to replicate the conditions at which
max lookahead rounds would start dropping messages. A set of tests then
use the `Spam` adversary to assert that honest participants reach
expected consensus despite the presence of spam messages.

Note that there are no APIs to assert that the upper lookahead bound is
respected by the implementation. A TODO is left to revisit this once
telemetry is introduced whereby tests can observe future message queue
size metrics to assert a configured lookahead is indeed respected.

Resolves #240
@masih masih force-pushed the masih/rbrdcst-drp-spmbls branch from fbf4f9f to a5b82d3 Compare May 22, 2024 10:37
@masih masih enabled auto-merge May 22, 2024 10:38
@masih masih added this pull request to the merge queue May 22, 2024
Merged via the queue into main with commit 073fe86 May 22, 2024
@masih masih deleted the masih/rbrdcst-drp-spmbls branch May 22, 2024 10:42
@github-actions
Copy link

github-actions bot commented May 22, 2024

Fuzz test failed on commit a5b82d3. To troubleshoot locally, download the seed corpus using GitHub CLI by running:

gh run download 9189781334 -n testdata

Aleternatively, download directly from here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anorth anorth anorth left review comments

@Kubuxu Kubuxu Kubuxu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GPBFT instance should drop spammable messages from future rounds

5 participants

@masih @codecov-commenter @anorth @Kubuxu