Queue failed reports for later insertion into blocks #98
Conversation
There was a problem hiding this comment.
As discussed in #97, let's make sure we retry sending the transactions until they are committed and finalized. When retrying a whole batch of reports, let's use consecutive nonces for them, so that they all have a chance to get committed.
DemiMarie
force-pushed
the
no-consume-nonces
branch
2 times, most recently
from
91eecd3
to
7aa2c53
Compare
DemiMarie
force-pushed
the
no-consume-nonces
branch
from
27bf328
to
ef55005
Compare
|
@afck can you review the changed request? |
DemiMarie
force-pushed
the
no-consume-nonces
branch
from
10a3f63
to
a01e879
Compare
|
@afck what would you set the limit to? |
There was a problem hiding this comment.
To keep the ABI sensible you could add declarations only for the methods that are new in Parity code. The complete ABI is not informative and bears the responsibility to update it every time it updates in the contracts even if that does not affect methods called from Parity.
DemiMarie
force-pushed
the
no-consume-nonces
branch
from
d487ced
to
80f7381
Compare
There was a problem hiding this comment.
Looks good! But let's make sure this doesn't spam malice report calls, and use a timeout and some maximum number of calls per block.
@varasev: I wonder whether we should even enforce some maximum number of reports per block in the permission contract?
scripts/get-abi
Outdated
| if len(sys.argv) != 4: | ||
| print('must have 3 arguments, not {}'.format(len(sys.argv) - 1), file=sys.stderr) | ||
| sys.exit(1) | ||
| main(*sys.argv[1:]) |
There was a problem hiding this comment.
Good idea! But let's document this script. If found this I'd have no idea what it's for and how to use it.
scripts/aura-used-functions.txt
Outdated
| @@ -0,0 +1,6 @@ | |||
| getValidators | |||
There was a problem hiding this comment.
Parity already suffers from inconsistent naming of contract ABI JSONs and the associated Rust variables. Can we at least have an unambiguous connection between this file and validator_set_aura.json? Maybe call it validator_set_aura.used.txt or something like that - with the base name of the ABI JSON?
Let's limit this to 15 calls per block and remove successfully calls from the list according to FIFO principle. That would be enough to not to spam the block with 100 000 000 gas limit by 20 validators (20 validators * 15 calls * 250 000 gas/call = 75 million gas in total).
I think we shouldn't limit this for a block. We have such a limit per staking epoch (to resist spammer validator): if some validator reports too often unlike the rest validators, this is treated as spam attempt by the contracts. However, this doesn't apply to the honest validators. This is a protection against malicious validator for the case when they want to use their ability to send fake transactions with 0 gas price to |
|
But the problem is that with the current retry logic, we are creating transactions for the same malice report multiple times, with multiple nonces, which would be spam in that sense. We should either:
|
This won't be treated as spam by the contracts until the transactions are mined. If some transaction with the same tuple |
|
Ah, okay, thanks! Then that should be fine. |
Several minutes is too long. Maybe you meant a few blocks? Malicious reports should be sent as soon as possible, especially at the end of staking epoch. Imagine that some validator misbehaved at the end of the epoch: honest validators don't have much time to send their reports until they stop being validators because |
DemiMarie
force-pushed
the
no-consume-nonces
branch
from
d04bd22
to
574578b
Compare
Yes, but this is only for the (hopefully exceptional) case where the report fails to get mined for some reason. Maybe we should use exponential backoff: Retry after 20 seconds, then 40, then 80, then 160, …?
Right, I hadn't realized that! |
|
The For example: If some tuple Such a situation with mining those two transactions is only possible if they are mined in the same block. If the transaction B is called in some later block, it will be canceled due to the rules in TxPermission and thus won't be included into the block. |
|
I think it's too early to merge this into |
|
Too late. 😬 Let's test it thoroughly and revert if we see problems. |
|
I'd restore the removed branch |
|
GitHub allows restoring removed branch and reverting PR's changes easily if you have enough rights for the repo. |
|
OK, I'm fine with it. Feel free to revert. |
|
I have no rights for this repo :) And you? |
|
Not admin permissions. It looks like I can't even see the deleted branch. |
|
@phahulin Can you also revert this PR? We could re-open it and then test before merging into |
I mean there should be
|
|
@varasev I did test it locally. It works fine. |
|
@DemiMarie could you please write here the steps you performed for testing, so we could repeat them. |
|
@varasev |
|
Got it, but those are the general tests which don't test the |
|
@varasev We don’t have any tests for @afck would you be okay with merging
|
|
I feel really uncomfortable about merging code into |
|
@afck We can, though it would be a significant amount of maintainance effort. That’s why I suggested using Cargo features to ensure that it is disabled under any normal circumstances. In particular, we could ensure that the when the test feature is enabled, the node refuses to connect to anything but loopback. |
|
Hmm… okay, maybe it's better this way. It still makes me uncomfortable, but if the team prefers it, feel free to merge it (with the precautions you're suggesting). |
|
@phahulin That might be because of the way I merged the PR (by fast-forward). |
|
@phahulin I could do a |
|
@DemiMarie yes, I think that's the way to do it. |
I agree with this. Let's keep that feature in a separate branch. |
|
I'm actually OK with merging |
|
I agree with @VladimirNovgorodov . We can remove this "feature" before the release. |
If we fail to send a transaction that reports a validator as malicious,
store it on a stack. When we next seal a block, included the failed
transactions.