Continue building blocks as liveness fallback in case of epoch failure

[jordanschalm]

This PR implements a fallback mechanism to continue block production after the specified end view of an epoch, if the next epoch has not been successfully set up or committed.

Changes

• When building the first (and all subsequent) blocks of an epoch, if that epoch has not been set up or committed, store the block with the EpochStatus of its parent, so that it is treated as part of the last epoch
• Create a fallback leader selection using the config for the last epoch, if the next epoch has not been set up or committed
• Continue using our last epoch's random beacon key to sign block messages, if the next epoch has not been set up or committed
• Ignore all service events, if we have entered a state of emergency chain continuation
• Avoid emitted epoch transition and epoch phase transition protocol events, if we have entered a state of emergency chain continuation

[codecov-commenter]

Codecov Report

Merging #1250 (4d7b4d5) into master (890803b) will decrease coverage by 0.05%.
The diff coverage is 64.70%.

@@            Coverage Diff             @@
##           master    #1250      +/-   ##
==========================================
- Coverage   56.28%   56.22%   -0.06%     
==========================================
  Files         497      497              
  Lines       30327    30384      +57     
==========================================
+ Hits        17069    17083      +14     
- Misses      10945    10976      +31     
- Partials     2313     2325      +12     

Flag	Coverage Δ
unittests	56.22% <64.70%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
model/flow/epoch.go	42.70% <0.00%> (-0.95%)	⬇️
state/protocol/inmem/epoch.go	80.00% <ø> (ø)
...nsensus/hotstuff/committees/consensus_committee.go	61.76% <63.63%> (-5.38%)	⬇️
module/epochs/epoch_lookup.go	54.54% <64.70%> (+1.91%)	⬆️
state/protocol/badger/mutator.go	64.42% <73.33%> (-0.97%)	⬇️
module/signature/signer_store.go	50.00% <100.00%> (ø)
...sus/approvals/assignment_collector_statemachine.go	42.30% <0.00%> (-9.62%)	⬇️
engine/collection/synchronization/engine.go	62.90% <0.00%> (-1.08%)	⬇️
cmd/util/ledger/migrations/storage_v4.go	41.56% <0.00%> (-0.61%)	⬇️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 890803b...4d7b4d5. Read the comment docs.

[AlexHentschel]

looks good. Tried to help out by adding goDoc and consolidating the code a bit: please see my PR #1255 (targeting this branch)

[AlexHentschel]

Overall approach looks good to me for a temporary solution. Have some ideas, what we could do as a bit more mature approach (follow up work).

[zhangchiqing]

how often would this update happen?
I think we should generate the leader selection only once. Even for the EECC epoch. How to ensure that?

[jordanschalm]

It will happen exactly once, the first time we attempt to retrieve the leader for a view which falls outside of a committed epoch. The reasoning for why this is true is in

flow-go/consensus/hotstuff/committees/consensus_committee.go

Lines 103 to 130 in 24706fe

	if !errors.Is(err, errSelectionNotComputed) {
	return flow.ZeroID, err
	}
	// we only reach the following code, if we got a errSelectionNotComputed
	// STEP 2 - we haven't yet computed leader selection for an epoch containing
	// the requested view. We compute leader selection for the current and previous
	// epoch (w.r.t. the finalized head) at initialization then compute leader
	// selection for the next epoch when we encounter any view for which we don't
	// know the leader. The series of epochs we have computed leaders for is
	// strictly consecutive, meaning we know the leader for all views V where:
	//
	// oldestEpoch.firstView <= V <= newestEpoch.finalView
	//
	// Thus, the requested view is either before oldestEpoch.firstView or after
	// newestEpoch.finalView.
	//
	// CASE 1: V < oldestEpoch.firstView
	// If the view is before the first view we've computed the leader for, this
	// represents an invalid query because we only guarantee the protocol state
	// will contain epoch information for the current, previous, and next epoch -
	// such a query must be for a view within an epoch at least TWO epochs before
	// the current epoch when we started up. This is considered an invalid query.
	//
	// CASE 2: V > newestEpoch.finalView
	// If the view is after the last view we've computed the leader for, we
	// assume the view is within the next epoch (w.r.t. the finalized head).
	// This assumption is equivalent to assuming that we build at least one

[zhangchiqing]

Just to confirm my understanding:

1. Once entering EECC, then it won't enter another EECC?
   2.Once entering EECC, there will be no DKG in EECC
2. Once entering EECC, the Epoch phase will stay at Staking Phase

[jordanschalm]

Once entering EECC, then it won't enter another EECC?
Once entering EECC, there will be no DKG in EECC
Once entering EECC, the Epoch phase will stay at Staking Phase

These are all correct.

[zhangchiqing]

If we are still in the current epoch during EECC, why we do still generate leaders for next epoch

[jordanschalm]

The implementation allows it, and it's a simpler change than trying to replace the existing leader selection for the current epoch which is being extended with EECC.

[jordanschalm]

This is ready for another look @zhangchiqing

[zhangchiqing]

I would suggest to return the error, and make another function like EpochForSignerView for the SignerStore to call.

Because different callers will expect different epoch counters for views that have no epoch committed:

• the signer store expects EpochForView to return the current epoch
• the leader selection expects EpochForView to returns the next epoch

Better we let signer store to call EpochForSignerView
and let leader selection to call EpochForView

[jordanschalm]

👍 Added in 7e85f17

[zhangchiqing]

Looks good 👍

[jordanschalm]

bors merge

[bors]

Build succeeded:

• Integration Tests (1.15)
• Integration Tests (1.16)
• Lint
• Unit Tests (1.15)
• Unit Tests (1.16)