Release 2.05.0.2.1 (hotfix: check chain work when processing reorgs) #3152
Conversation
…ndexer's find_bitcoin_reorg() method to check the original and reorg chain's total work in order to decide whether to move forward with reorg processing.
…BUT, right now the work calculation for a difficulty adjustment interval is getting the wrong answers and I don't know why.
…et, which is what gets used in the difficulty comparison
Codecov Report
@@ Coverage Diff @@
## master #3152 +/- ##
==========================================
- Coverage 83.73% 82.40% -1.33%
==========================================
Files 260 260
Lines 201055 203317 +2262
==========================================
- Hits 168355 167545 -810
- Misses 32700 35772 +3072
Continue to review full report at Codecov.
|
…chainwork into the original SPV database, instead of re-downloading the same headers and hoping for the best. Also, update the mainnet unit test to compare chainwork against known chainwork from bitcoind
…s the bookkeeping on the SPV DB, so it doesn't have to
…t to download (off-by-one error)
stacks-common/src/util/uint.rs
Outdated
| let bytes = self.0[i].to_le_bytes(); | ||
| for j in 0..bytes.len() { | ||
| ret[$n_words * 8 - 1 - (i * 8 + j)] = bytes[j]; | ||
| } |
There was a problem hiding this comment.
I think using to_be_bytes() makes this a little easier to follow
| let bytes = self.0[i].to_le_bytes(); | |
| for j in 0..bytes.len() { | |
| ret[$n_words * 8 - 1 - (i * 8 + j)] = bytes[j]; | |
| } | |
| let word_end = $n_words * 8 - (i * 8); | |
| let word_start = word_end - 8; | |
| ret[word_start..word_end] | |
| .copy_from_slice(&self.0[i].to_be_bytes()); |
| @@ -671,4 +734,21 @@ mod tests { | |||
| Uint256([0, 0xDEADBEEFDEADBEEF, 0xDEADBEEFDEADBEEF, 0]) | |||
| ); | |||
| } | |||
|
|
|||
| #[test] | |||
| pub fn hex_codec() { | |||
There was a problem hiding this comment.
The changes in uint need one or two more complex vectors -- this test only covers handling a single word of content.
src/burnchains/bitcoin/indexer.rs
Outdated
| // * needs the last difficulty interval of headers (note that the current | ||
| // interval is `start_block / BLOCK_DIFFICULTY_CHUNK_SIZE - 1). | ||
| // * needs the last interval's chain work calculation | ||
| let interval_start_block = start_block / BLOCK_DIFFICULTY_CHUNK_SIZE - 2; |
There was a problem hiding this comment.
What is interval_start_block? If BLOCK_DIFFICULTY_CHUNK_SIZE is 500, and start_block is 502, this is -2? Should that panic or underflow?
There was a problem hiding this comment.
This should be a saturating subtraction.
src/burnchains/bitcoin/indexer.rs
Outdated
| let reorg_total_work = reorg_spv_client.update_chain_work()?; | ||
| let orig_total_work = orig_spv_client.get_chain_work()?; | ||
|
|
||
| debug!("Bitcoin headers history is consistent up to {}. Orig chainwork: {}, reorg chainwork: {}", new_tip, orig_total_work, reorg_total_work); |
There was a problem hiding this comment.
Looks like a good case for k-v syntax
| info!( | ||
| "New canonical Bitcoin chain found! New tip is {}", | ||
| &hdr_reorg.header.bitcoin_hash() | ||
| ); |
There was a problem hiding this comment.
Does this log line appear on every new bitcoin block, or only on reorgs?
There was a problem hiding this comment.
Only on reorgs. This can only get hit if the newly-discovered headers (the "reorg" headers) have more total work than the headers currently in the headers DB (the "orig" headers).
There was a problem hiding this comment.
Many lines are showing up as "not covered by test" in the code coverage, e.g.:
- https://app.codecov.io/gh/stacks-network/stacks-blockchain/compare/3152/diff#D3L243
- https://app.codecov.io/gh/stacks-network/stacks-blockchain/compare/3152/diff#D3L375
- https://app.codecov.io/gh/stacks-network/stacks-blockchain/compare/3152/diff#D3L990
Is this an artifact of CodeCov or are they really not covered?
|
@gregorycoppola I'm not seeing what you're seeing? |
…over to the .reorg DB, and use K/V logging. Also, add multi-word test vectors to hex codec for uint256
|
I think the linking to CodeCov system is kind of buggy/confusing, because when I click the link it doesn't bring me to the line I started with. I'm guessing you mean you don't know which lines I'm referring to (but maybe you mean you see the lines but you think they are actually covered). I think the I'm attaching some screen shots. |
|
@gregorycoppola Oh I see why. The new unit tests require you to supply a mainnet headers DB, whose path is indicated by the enviorn |
|
@jcnelson i'm not trying to create busy work in the middle of a hot fix.. just checking what was going on. if you think it's tested, that's fine. |
Ah, sorry, I didn't realize how dismissive I sounded in that comment! I'm glad you brought the code coverage up -- it's important that we do get this covered in CI. I was only trying to get the reviewers' permission to do so in a separate PR :) |
There was a problem hiding this comment.
I'm not totally getting the higher-level picture of what exactly the bug was, why it was a bug, and why this fix is needed.
But, it seems to me like the code is implementing the change described in the description... so I'll leave it to you guys to verify that the change makes sense.
jcnelson
changed the title
|
Okay everyone, both the Foundation and Hiro have confirmed that this node is able to both boot from existing chainstate and spawn from genesis on both mainnet and testnet. If that's sufficient in your eyes for cutting a release, please approve this. |
Okay, this is now ready for review.
This is a hotfix to the SPV client that addresses the following bugs:
The SPV client now tracks the best chain work for each Bitcoin difficulty adjustment interval it has ever seen. Any attempt to store headers that would lead to a decrease in total chain work will result in an error which will cause the node to re-attempt to download those headers indefinitely until they have at least the best-seen work.
The SPV client will verify that newly-obtained headers after the initial header sync have timestamps that are within 2 hours of the current epoch time.
The SPV client will verify that each Bitcoin header has a timestamp that is strictly greater than the median of the past 11 Bitcoin blocks.
The SPV client will reject a block that has a strictly higher value than the target for the difficulty interval, instead of an equal or higher target.
By far the most work in this PR concerns point #1. To build confidence in the implementation, I added a unit test that is disabled by default, but if set up with the proper environment variables, will download the mainnet Bitcoin block headers and verify that the calculated chain work in each interval is equal to values I manually extracted from
bitcoind. In addition, I took PoC bad block headers from the Immunefi bug report and created two unit tests whereby:A new chain with the bad blocks is discovered and compared to the main chain with the good blocks (this new chain is verified ignored because it has lower total chain work), and
A new chain with the good blocks is discovered and compared to the main chain with the bad blocks (this new chain is verified accepted because it has a higher total chain work).
There are a couple of modifications to
BitcoinIndexer::find_bitcoin_reorg()that necessitated changes toBurnchain::sync_with_indexer()that are difficult to test in both unit and integration tests. I am currently in the process of filling this end-to-end test checklist:A node with this patch is able to resume from existing mainnet chainstate and reach the chain tip
A node with this patch is able to boot from genesis on mainnet and reach the chain tip
A node with this patch is able to resume from existing testnet chainstate and reach the chain tip
A node with this patch is able to boot from genesis on testnet and reach the chain tip
Once these end-to-end tests pass, I think we can make a hotfix release. Once the first end-to-end test passes (resuming from existing mainnet chainstate), I think we can cut a release candidate.
Reminder to anyone reading this: This project participates in Immunefi to pay bounties for bugs such as this one. This bug was reported via Immunefi and is confirmed to exist, as this PR proves.