fail_hard is not working as described #2847
Comments
|
To keep implementation simple for now, continue to treat |
|
As a client of rippled, I care about which category the result code falls under:
In case of (1), I'll watch fully validated ledgers to see if they included my transaction, and if one does, I'll look to see what effect my transaction had on the ledger. In case of (2), I'll know that my transaction "failed" with finality, so I can feel free to create/submit a new transaction re-using that tx's sequence number. Currently, I have to assume everything is (1) because even |
|
My 2¢:
|
Just adding a friendly reminder that you can't know 100% that your transaction is in (2), if you don't trust / control the server you're submitting to, or the wire you're submitting over. That aside, you can always attempt to submit a new transaction with the same sequence number. Even if the old transaction is in the local list, the new one may go into the queue or open ledger, which would cause later attempts on the old one to fail with
I would not object to adding such a field, but I'm not sure if it's necessary if we implement things correctly.
You know... While we're in there making changes, it would be "easy" enough to force those types of failures to never be retried, regardless of the value of
I think that's technically possible with flags, so it wouldn't be super difficult to implement. However, it would not be a good idea unless it was limited to admins. On a more public node, we want anybody who can pay a fee to pay the fee to discourage them from experimenting or abusing that node. This merits further discussion. I think this would be a breaking change requiring an amendment, because it changes whether a transaction gets put into the open ledger at all, even if that is only in a local context.
I agree about |
That's not a big deal because you always have to use https/wss and trust the server you're using.
That sounds fine.
I like this idea. For admins, with
No, I don't think this should require an amendment because it should only affect the local context. We can avoid a breaking change by using an API version parameter, called e.g.
Agreed. |
|
The 'fail_hard' feature was, unfortunately, poorly thought out and not very well conceived. For transactions that are perfect, it doesn't help you, they'll succeed no matter what. For transactions that are totally busted, it doesn't help you, they'll fail no matter what. It was supposed to help you in the squishy middle, but unfortunately the middle is quite squishy.
It predates the transaction fee queue and so doesn't really handle that right at all. There's no clear right way to handle that. Broadly, the problem is that the context in which the server executes the transaction
when it is submitted and the context in which the transaction might run if it reaches a network consensus and is sequenced can differ. A 'tec' at submission time does not mean a 'tec' at later execution. A 'tes' at submission does not mean a 'tes' at later execution.
The original thinking was that it would be nice if you could treat a 'tef' as final. The transaction is very unlikely to succeed if retried anyway. So it would be nice to be able to treat that as a "can't ever happen"
condition and have one less edge case to worry about. It doesn't make much sense to treat a 'tec' as final because there's definitely no guarantee the transaction will get a 'tec' later anyway (it's not necessarily even likely).
It is very important for everyone to keep in mind that whatever result you get as a result of submitting a transaction, it is the result of that submission ONLY. It in no way tells you much about the final disposition of that transaction. And, of course, the fee queue makes this even more difficult.
My advice has always been that if you sign a transaction, you should never assume that it can't wind up in a ledger later until you see a fully-validated ledger that either has a transaction from the same account
with the same sequence number or you see a fully-validated ledger with a ledger sequence number equal to or grater than the last valid ledger for the transaction (if it has one). Nothing else should really be treated as final because it's not hard to create edge cases where results change.
It would definitely be nice to have a flag in the response that told you whether or not the server promises not to continue trying to process the transaction.
|
|
I would like to emphasize:
That would be very helpful. |
|
FirstLedgerSequence
^^^^^
|
|
I do not think FirstLedgerSequence is relevant here |
|
with the same sequence number or you see a fully-validated ledger with a
ledger sequence number equal to or grater than the last valid ledger for
the transaction (if it has one).
|
|
When we fix
I understand the reasoning here, as it's an anti-abuse mechanism and theoretically cuts down on spam by claiming transaction fees and destroying XRP. But in practice, I don't think this is is a valuable defense. If a node can be abused by sending invalid transactions to it, then we have bigger problems. This should be solved with rate limiting instead. After all, there is already processing involved for transactions that end up with
I do not think it should require an amendment since it only affects the local context, and only when |
|
That's not a big deal because you *always* have to use https/wss and
trust the server you're using. fail_hard is irrelevant here; if the
server is not trusted, then it could lie to you about anything, including
transaction results. For example, the server could claim your transaction
was finalized as a tec when it was actually tes, tricking you into
re-sending money.
True, but only because clients are not very smart. I don't want to design
for dumb clients. The original plan was that human readable APIs are for
humans and that clients should be able to minimize server load by parsing
binary data. A server can provide validations and proof trees to a smart
client.
Maybe that ship has sailed.
DS
… |
|
Well, servers don't provide proof trees so far, so nobody wrote clients that would understand them. |
FIXES: XRPLF#2847 * Transactions that are submitted with the fail_hard flag and that result in any TER code besides tesSUCCESS shall not be queued or held.
FIXES: XRPLF#2847 * Transactions that are submitted with the fail_hard flag and that result in any TER code besides tesSUCCESS shall be neither queued nor held.
FIXES: XRPLF#2847 * Transactions that are submitted with the fail_hard flag and that result in any TER code besides tesSUCCESS shall be neither queued nor held.
FIXES: XRPLF#2847 * Transactions that are submitted with the fail_hard flag and that result in any TER code besides tesSUCCESS shall be neither queued nor held. [FOLD] Keep tec results out of the open ledger when fail_hard: * Improve TransactionStatus const correctness, and remove redundant `local` check * Check open ledger tx count in fail_hard tests * Fix some wrapping * Remove duplicate test
The
fail_hardparameter to submit (https://developers.ripple.com/submit.html) is described asThis is not the current rippled behavior. Instead, only
terresult codes (except forterQUEUED) are not retried or relayed. All other failure codes do retry. This is unlikely to be a problem because those failure codes will not succeed on most retry events, BUT some of them could potentially succeed if the protocol rules change while it's retrying, eg. an amendment goes live.The text was updated successfully, but these errors were encountered: