Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

pre-checking: Reject failed PVFs #6492

Merged
merged 15 commits into from
Jan 12, 2023
Merged

pre-checking: Reject failed PVFs #6492

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
30c3215
pre-checking: Reject failed PVFs
mrcnski Jan 2, 2023
d14c979
paras: immediately reject any PVF that cannot reach a supermajority
mrcnski Jan 2, 2023
79f1677
Make the `quorum` reject condition a bit more clear semantically
mrcnski Jan 2, 2023
978e992
Add comment
mrcnski Jan 2, 2023
3675052
Update implementer's guide
mrcnski Jan 2, 2023
baed8f7
Update a link
mrcnski Jan 3, 2023
2806d88
Update runtime/parachains/src/paras/tests.rs
mrcnski Jan 3, 2023
f05224d
Remove unneeded loop
mrcnski Jan 3, 2023
b7cf378
Merge branch 'master' into m-cat/prechecking-supermajority
mrcnski Jan 5, 2023
db1a822
Log PVF retries using `info!`
mrcnski Jan 5, 2023
30ec605
Change retry logs to `warn!` and add preparation failure log
mrcnski Jan 5, 2023
c94135b
Log PVF execution failure
mrcnski Jan 5, 2023
876daa6
Clarify why we reject failed PVFs
mrcnski Jan 9, 2023
af102c3
Merge branch 'master' into m-cat/prechecking-supermajority
mrcnski Jan 11, 2023
1d5753b
Fix PVF reject runtime benchmarks
mrcnski Jan 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
pre-checking: Reject failed PVFs
  • Loading branch information
@mrcnski
mrcnski committed Jan 2, 2023
commit 30c32151f552ff9460352b8bad402a0a8aa64d3e
3 changes: 1 addition & 2 deletions node/core/candidate-validation/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,8 +295,7 @@ where
_ => {
// The reasoning why this is "failed" and not invalid is because we assume that
// during pre-checking voting the relay-chain will pin the code. In case the code
// actually is not there, we issue failed since this looks more like a bug. This
// leads to us abstaining.
// actually is not there, we issue failed since this looks more like a bug.
gum::warn!(
target: LOG_TARGET,
?relay_parent,
Expand Down
11 changes: 5 additions & 6 deletions node/core/pvf-checker/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,16 +190,15 @@ async fn handle_pvf_check(
PreCheckOutcome::Valid => Judgement::Valid,
PreCheckOutcome::Invalid => Judgement::Invalid,
PreCheckOutcome::Failed => {
// Abstain.
//
// Returning here will leave the PVF in the view dangling. Since it is there, no new
// pre-checking request will be sent.
// Always vote against in case of failures. Voting against a PVF when encountering a
// timeout (or an unlikely node-specific issue) can be considered safe, since
// there is no slashing for being on the wrong side on a pre-check vote.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly. Also by being more strict here, we can safely be more lenient during preparation and avoid risk of getting slashed there.

gum::info!(
target: LOG_TARGET,
?validation_code_hash,
"Pre-check failed, abstaining from voting",
"Pre-check failed, voting against",
);
return
Judgement::Invalid
},
};

Expand Down
25 changes: 16 additions & 9 deletions node/core/pvf-checker/src/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ impl TestState {
self.active_leaves_update(handle, Some(leaf), None, &[]).await
}

async fn deactive_leaves(
async fn deactivate_leaves(
&mut self,
handle: &mut VirtualOverseer,
deactivated: impl IntoIterator<Item = &Hash>,
Expand Down Expand Up @@ -894,8 +894,8 @@ fn unexpected_pvf_check_judgement() {
// Catch the pre-check request, but don't reply just yet.
let pre_check = test_state.expect_candidate_precheck(&mut handle).await;

// Now deactive the leaf and reply to the precheck request.
test_state.deactive_leaves(&mut handle, &[block_1.block_hash]).await;
// Now deactivate the leaf and reply to the precheck request.
test_state.deactivate_leaves(&mut handle, &[block_1.block_hash]).await;
pre_check.reply(PreCheckOutcome::Invalid);

// the subsystem must remain silent.
Expand All @@ -906,14 +906,17 @@ fn unexpected_pvf_check_judgement() {
});
}

// Check that we do not abstain for a nondeterministic failure. Currently, this means the behavior
// is the same as if the pre-check returned `PreCheckOutcome::Invalid`.
#[test]
fn abstain_for_nondeterministic_pvfcheck_failure() {
fn dont_abstain_for_nondeterministic_pvfcheck_failure() {
test_harness(|mut test_state, mut handle| {
async move {
let block_1 = FakeLeaf::new(dummy_hash(), 1, vec![dummy_validation_code_hash(1)]);
test_state
.activate_leaf_with_session(
&mut handle,
FakeLeaf::new(dummy_hash(), 1, vec![dummy_validation_code_hash(1)]),
block_1.clone(),
StartsNewSession { session_index: 2, validators: vec![OUR_VALIDATOR] },
)
.await;
Expand All @@ -922,10 +925,14 @@ fn abstain_for_nondeterministic_pvfcheck_failure() {
test_state.expect_session_for_child(&mut handle).await;
test_state.expect_validators(&mut handle).await;

test_state
.expect_candidate_precheck(&mut handle)
.await
.reply(PreCheckOutcome::Failed);
// Catch the pre-check request, but don't reply just yet.
let pre_check = test_state.expect_candidate_precheck(&mut handle).await;

// Now deactivate the leaf and reply to the precheck request.
test_state.deactivate_leaves(&mut handle, &[block_1.block_hash]).await;
pre_check.reply(PreCheckOutcome::Failed);

// the subsystem must remain silent.

test_state.send_conclude(&mut handle).await;
}
Expand Down
8 changes: 5 additions & 3 deletions roadmap/implementers-guide/src/node/utility/pvf-prechecker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,13 @@ To be relevant for the subsystem, a PVF must be returned by the [`pvfs_require_p

When a PVF just becomes relevant, the subsystem will send a message to the [Candidate Validation] subsystem asking for the pre-check.

Upon receving a message from the candidate-validation subsystem, the pre-checker will note down that the PVF has its judgement and will also sign and submit a [`PvfCheckStatement`][PvfCheckStatement] via the [`submit_pvf_check_statement` runtime API][PVF pre-checking runtime API]. In case, a judgement was received for a PVF that is no longer in view it is ignored. It is possible that the candidate validation was not able to check the PVF. In that case, the PVF pre-checker will abstain and won't submit any check statements.
Upon receving a message from the candidate-validation subsystem, the pre-checker will note down that the PVF has its judgement and will also sign and submit a [`PvfCheckStatement`][PvfCheckStatement] via the [`submit_pvf_check_statement` runtime API][PVF pre-checking runtime API]. In case, a judgement was received for a PVF that is no longer in view it is ignored.

Since a vote only is valid during [one session][overview], the subsystem will have to resign and submit the statements for for the new session. The new session is assumed to be started if at least one of the leaves has a greater session index that was previously observed in any of the leaves.
It is possible that the candidate validation was not able to check the PVF, e.g. if it timed out. In that case, the PVF pre-checker will vote against it. This is considered safe, as there is no slashing for being on the wrong side of a pre-check vote.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to have a rationale on why we must reject instead of abstaining.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is better in two ways:

  1. Conclusion is reached faster - we have actual votes, instead of relying on a timeout.
  2. Being strict in pre-checking makes it safer to be more lenient in preparation errors afterwards. Hence we have more leeway in avoiding raising dubious disputes, without making things less secure.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know why, sr-labs explains it, but I don't see it in a guide :)


The subsystem tracks all the statement that it submitted within a session. If for some reason a PVF became irrelevant and then becomes relevant again, the subsystem will not submit a new statement for that PVF within the same session.
Since a vote only is valid during [one session][overview], the subsystem will have to resign and submit the statements for the new session. The new session is assumed to be started if at least one of the leaves has a greater session index that was previously observed in any of the leaves.

The subsystem tracks all the statements that it submitted within a session. If for some reason a PVF became irrelevant and then becomes relevant again, the subsystem will not submit a new statement for that PVF within the same session.

If the node is not in the active validator set, it will still perform all the checks. However, it will only submit the check statements when the node is in the active validator set.

Expand Down