Refactor BlockHistoryEstimator check to halt excessive bumping #13297
Conversation
| } | ||
| // Return error to prevent bumping if gas price is nil or if EIP1559 is enabled and tip cap is nil | ||
| if maxGasPrice == nil || (b.eConfig.EIP1559DynamicFees() && maxTipCap == nil) { | ||
| errorMsg := fmt.Sprintf("%d percentile price is not set. This is likely because there aren't any valid transactions to estimate from. Preventing bumping until valid price is available to compare", percentile) |
There was a problem hiding this comment.
Is this safe? This means that if head tracker is not working we can't bump txes. That seems potentially dangerous.
There was a problem hiding this comment.
Good point. Think this was ok with a previous version of the proposal when we'd use the same block range for the gas estimation and this halt bumping check. Since we landed on using different number of blocks, it's possible we have a gas price set but don't have the cap set which would block bumping. I've updated this to return nil to allow bumping to continue.
There was a problem hiding this comment.
After discussing with Dimitris, I don't think halting bumping if max gas price or max tip cap are set is dangerous so I'm reverting back to erroring on this condition. This issue can only arise on startup when the initial value for this have not been set yet. If there is an issue with the head tracker, we likely have bigger problems with the node. If the issue is the lack of transactions to calculate these values, we don't think it's a problem to hold on bumping until we have usable values. It'd be an extreme edge case to get consistent blocks without usable transactions after startup to reach a point that bumping needs to be blocked for a missing value. But it seems safer to block than blindly (and potentially aggressively) bump the transaction(s).
There was a problem hiding this comment.
Yes, I see these values can be null only if we failed to calculate things on startup, which itself means BlockHistoryEstimator cannot work.
If you don't have blocks, you can't calculate %iles, thus not set gas prices at all.
If at a later time the HeadTracker stops, we will still have these values set, just to a stale value.
I'm ok with halting bumping in such cases. There is a risk, but then we already see HeadTracker not working, no no point going crazy with bumping.
I've seen many cases where our gas_prices are way way higher than the gas fees on a block, causing the nodes to go out of funds. So not halting is actually already causing production problems.
| promBlockHistoryEstimatorSetGasPrice = promauto.NewGaugeVec(prometheus.GaugeOpts{ | ||
| Name: "gas_updater_set_gas_price", | ||
| Help: "Gas updater set gas price (in Wei)", | ||
| }, | ||
| []string{"percentile", "evmChainID"}, | ||
| ) | ||
|
|
||
| promBlockHistoryEstimatorSetMaxPercentileGasPrice = promauto.NewGaugeVec(prometheus.GaugeOpts{ |
There was a problem hiding this comment.
I'm a bit sceptical on adding more metrics like these. Do we even know if anyone uses them?
There was a problem hiding this comment.
I'm ok with removing these but I was thinking it was harmless in case we wanted to every create dashboards in the future. I'll remove these since they can be added later if we ever do need them.
There was a problem hiding this comment.
Removed in the following commit
…-s-checkConnectivity-method
…-s-checkConnectivity-method
| blockRange := mathutil.Min(len(blockHistory), int(b.bhConfig.CheckInclusionBlocks())) | ||
| startIdx := len(blockHistory) - blockRange | ||
| checkInclusionBlocks := blockHistory[startIdx:] | ||
| // Check each attempt for any with a gas price or tip cap (if EIP1559 type) exceeds the latest CheckInclusionPercentile prices | ||
| for _, attempt := range attempts { | ||
| if attempt.BroadcastBeforeBlockNum == nil { |
There was a problem hiding this comment.
Is this check relevant anymore? What does this accomplish ?
There was a problem hiding this comment.
I left this check in here as part of a belt and braces approach since it's still an assumption violation. Since we don't use attempt.BroadcastBeforeBlockNum anymore, you're right that this check isn't really protecting anything except halting bumping if a tx has an attempt without BroadcastBeforeBlockNum set.
There was a problem hiding this comment.
Actually I had a major suspect this code is causing problems.
Inside our confirmer, we are setting BroadcastBeforeBlockNum to null here:
chainlink/common/txmgr/confirmer.go
Line 857 in d675d86
I couldn't find where we do again set the value back to a valid block.
Could you check that, and ensure it isn't set to null forever?
There was a problem hiding this comment.
Otherwise, I'm in favor of removing this check
There was a problem hiding this comment.
I believe after this code the Confirmer tries broadcast the transaction. Whether it's successful or fails, it saves the attempt without a BroadcastBeforeBlockNum. Then on the next call of processHead, we set the block num for all broadcast attempts here:
chainlink/common/txmgr/confirmer.go
Lines 293 to 295 in 58d73ec
BroadcastBeforeBlockNum is if it is either in_progress or insufficient_funds state. But txs with an insufficient_funds attempt are never passed to bumping and attempts aren't marked as in_progress anywhere in the call stack before bumping.
If we want to ensure we don't bump for txs with either in_progress or insufficient_funds attempts, I can change this validation to check that all attempts are broadcast state. Seems like it would be functionally the same as the BroadcastBeforeBlockNum check but much more straight forward. I'm also ok removing this check but seems like a good check to have for a belts and braces approach since we would want to block bumping if a tx has a non-broadcast state attempt.
There was a problem hiding this comment.
Thanks for the validation. Looks good.
| gweiMultiplier := big.NewFloat(1_000_000_000) | ||
| float := new(big.Float).SetInt(maxPercentileGasPrice.ToInt()) | ||
| gwei, _ := big.NewFloat(0).Quo(float, gweiMultiplier).Float64() | ||
| maxPercentileGasPriceGwei := fmt.Sprintf("%.2f", gwei) |
There was a problem hiding this comment.
Can you take a look at the assets package and see if you can reuse something from there to simplify this?
There was a problem hiding this comment.
Good call! Found an existing method
| float = new(big.Float).SetInt(maxPercentileTipCap.ToInt()) | ||
| gwei, _ = big.NewFloat(0).Quo(float, gweiMultiplier).Float64() | ||
| maxPercentileTipCapGwei := fmt.Sprintf("%.2f", gwei) |
…-s-checkConnectivity-method
|
| blockRange := mathutil.Min(len(blockHistory), int(b.bhConfig.CheckInclusionBlocks())) | ||
| startIdx := len(blockHistory) - blockRange | ||
| checkInclusionBlocks := blockHistory[startIdx:] | ||
| // Check each attempt for any with a gas price or tip cap (if EIP1559 type) exceeds the latest CheckInclusionPercentile prices | ||
| for _, attempt := range attempts { | ||
| if attempt.BroadcastBeforeBlockNum == nil { |
There was a problem hiding this comment.
Actually I had a major suspect this code is causing problems.
Inside our confirmer, we are setting BroadcastBeforeBlockNum to null here:
chainlink/common/txmgr/confirmer.go
Line 857 in d675d86
I couldn't find where we do again set the value back to a valid block.
Could you check that, and ensure it isn't set to null forever?
| blockRange := mathutil.Min(len(blockHistory), int(b.bhConfig.CheckInclusionBlocks())) | ||
| startIdx := len(blockHistory) - blockRange | ||
| checkInclusionBlocks := blockHistory[startIdx:] | ||
| // Check each attempt for any with a gas price or tip cap (if EIP1559 type) exceeds the latest CheckInclusionPercentile prices | ||
| for _, attempt := range attempts { | ||
| if attempt.BroadcastBeforeBlockNum == nil { |
There was a problem hiding this comment.
Otherwise, I'm in favor of removing this check
| } | ||
| // Return error to prevent bumping if gas price is nil or if EIP1559 is enabled and tip cap is nil | ||
| if maxGasPrice == nil || (b.eConfig.EIP1559DynamicFees() && maxTipCap == nil) { | ||
| errorMsg := fmt.Sprintf("%d percentile price is not set. This is likely because there aren't any valid transactions to estimate from. Preventing bumping until valid price is available to compare", percentile) |
There was a problem hiding this comment.
Yes, I see these values can be null only if we failed to calculate things on startup, which itself means BlockHistoryEstimator cannot work.
If you don't have blocks, you can't calculate %iles, thus not set gas prices at all.
If at a later time the HeadTracker stops, we will still have these values set, just to a stale value.
I'm ok with halting bumping in such cases. There is a risk, but then we already see HeadTracker not working, no no point going crazy with bumping.
I've seen many cases where our gas_prices are way way higher than the gas fees on a block, causing the nodes to go out of funds. So not halting is actually already causing production problems.
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
dimriou
deleted the
BCI-2883-Refactor-Block-History-Estimator-s-checkConnectivity-method
branch
CheckInclusionBlocksamount of blocks had to pass since broadcast to assess an attemptCheckInclusionBlocksamount of blocks to calculate theCheckInclusionPercentilepriceCheckInclusionBlocksconfig was set greater thanBlockHistorySize, the latest gas estimation used would beCheckInclusionBlocks-BlockHistorySizeblocks behindBlockHistorySizeconfig was set greater thanCheckInclusionBlocks, the check to halt bumping would not use all of the blocks available to it untilBlockHistorySize-CheckInclusionBlockspassed