This repository has been archived by the owner on Nov 7, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
core: Ignore errors when processing valid embedded messages
Correct replicas must always agree on message validity, i.e. the result of checking for message's internal consistency and authenticity. However, it is practically hard, if not even impossible, to guarantee the same regarding message's correctness with respect to other messages, i.e. guarantee accurate detection of any protocol violation. For example, Commit messages referring to already executed requests are simply ignored as excessive, even if they were actually generated with protocol violation. In current implementation, a replica does not process a received message itself if it detects protocol violation when processing messages embedded into the received message. That does not create any problem, as long as replicas do not embed potentially incorrect messages into their own generated messages. This currently holds for normal-case protocol messages. However, this way of treating incorrect embedded messages might compromise liveness guarantee that is to be ensured by view change operation. That is because a new primary needs to prove correctness of transition into the new view by presenting a new-view certificate which includes message logs received by the new primary from other replicas. Due to the aforementioned inaccuracy in detection of protocol violations, even a correct new primary might pick some message logs containing valid but incorrect messages. Should some other correct replicas keep rejecting such new-view certificates, view change operation may never finish. Nevertheless, a correct primary will only use well-formed message logs consisting of all valid messages from a sufficient quorum of replicas. This will be validated by other correct replicas and must be enough to ensure safe transition into a new view, even if some messages included into the new-view certificate are incorrect. Incorrect messages are either ignored or rejected by correct replicas, thus they cannot cause request execution; whereas the purpose of the new-view certificate is to ensure all requests that were prepared and potentially accepted for execution are propagated to the new view. Without compromising safety, ignore errors encountered when processing embedded messages. This will allow to use the existing code to process messages embedded into ViewChange and NewView messages, i.e. messages of the message log included into ViewChange message, and ViewChange messages of the new-view certificate included into NewView message. Signed-off-by: Sergey Fedorov <sergey.fedorov@neclab.eu>
- Loading branch information