Populate timestamp field of Block #3733

nick-mobilecoin · 2023-11-20T17:52:45Z

When values are proposed to SCP, a timestamp is provided with the
proposed value. These timestamps are validated and consolidated to
populate the timestamp field of the Block.

nick-mobilecoin · 2023-11-20T17:52:57Z

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

Populate timestamp field of Block #3733 👈
Add timestamp field to Block #3734
main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @nick-mobilecoin and the rest of your teammates on Graphite

consensus/enclave/impl/src/lib.rs

consensus/service/src/mint_tx_manager/mod.rs

consensus/service/src/timestamp_validator.rs

nick-mobilecoin · 2023-11-20T21:54:43Z

The approach in #3711 didn't pan out.
The reason being that adding a timestamp as a ConsensusValue means that it is in a common pool of the other ConsensusValues.
When SCP process nominations and ballots, it's possible that it only takes a subset of the values in the pool. When this happens the timestamp could be taken initially and then later on the next attempt there is no timestamp in the pool of values SCP pulls from. SCP treats the ConsensusValues opaquely so it would have required updating SCP to have some kind of understanding that it needs one of the timestamp variant, and then it would need to callback somehow to re-populate with a timestamp. This re-population would need to be synchronized across the nodes.

consensus/enclave/impl/src/lib.rs

consensus/service/src/timestamp_validator.rs

eranrund

Overall this LGTM but there's an issue with the nonce de-duping stuff in the mint/mint config txs, and maybe a need to allow for timestamps in the near future. I made comments with more details in the relevant parts.
After those are addressed I'll take a second pass at this since while on the surface this is fairly easy to follow, I do want to increase the chances of not missing anything since this does change the blockchain in a meaningful way.
Thanks for iterating on this!

consensus/enclave/impl/src/lib.rs

consensus/service/src/byzantine_ledger/worker.rs

consensus/service/src/timestamp_validator.rs

consensus/service/src/tx_manager/mod.rs

consensus/service/src/mint_tx_manager/mod.rs

consensus/enclave/impl/src/lib.rs

consensus/service/src/timestamp_validator.rs

consensus/enclave/mock/src/lib.rs

When values are proposed to SCP, a timestamp is provided with the proposed value. These timestamps are validated and consolidated to populate the timestamp field of the `Block`.

Previously timestamp validation would fail if the timestamp was in the future, now a 3 second window is allowed to occur to account for skew between consensus nodes.

Previously MintTx and MintConfigTx would deduplicate by the entire value of the structure. Now only the nonce and token id are looked at for deduplication. This prevents transactions with the same nonce and token id, but with a different value.

Previously a timestamp in SCP would be marked invalid if it exceeded 30 seconds. This posed a problem if multiple nodes were flooded with transactions that exceeded their capacity, and the nodes were stalled enough such that it took more than 30 seconds to get the value + timestamp to a quorum. Now timestamps are only ensured to not be in the future and to be increasing from the last block's timestamp.

nick-mobilecoin · 2023-11-30T17:24:14Z

@eranrund I believe I've addressed the timestamp locking up consensus in 6bcb229

The failure case:
consensus was not able to proceed because a value's timestamp had exceeded the age of 30 seconds.

The slam test threw enough transactions at a node to exceed the PENDING_LIMIT of transactions.
While this node was bogged down handling these, it wasn't able to get a consensus message to all the other nodes within the 30 second time. Thus, in this instance, nodes 3302 and 3303 saw the values within the 30 second time, but nodes 3300, 3301 and 3304 did not see these values within the time period. For this test, transactions were only being sent to one node, 3302 or 3303. Since this was the only node proposing txs, the network got stuck, because this node felt those values were all valid and per SCP a node can't change it's mind on voting to nominate a value. Currently the only slot reset mechanism is if a node sees that the other nodes are moving forward in the blockchain without it, then that node will abort a slot attempt and catch up.
In this test scenario, only one node was receiving transactions so there was no way for the block to move forward. While less likely, there is potential for this in the real network if one were able to flood transactions to enough nodes and stall them enough such that the necessary quorum considered all other the values invalid due to time out.

We could increase the age out time to something like 5 or 10 minutes, to reduce the likely hood of this event but still allow manual restarts. However, in general I'm thinking we shouldn't allow values to become invalid outside of the blockchain moving forward.

nick-mobilecoin · 2023-11-30T17:57:29Z

I'm currently looking at the failure on https://github.com/mobilecoinfoundation/mobilecoin/actions/runs/7049871021/job/19189327703
I haven't seen that one before so it may be related to this change :(.

eranrund · 2023-11-30T18:02:43Z

@eranrund I believe I've addressed the timestamp locking up consensus in 6bcb229

The failure case: consensus was not able to proceed because a value's timestamp had exceeded the age of 30 seconds.

The slam test threw enough transactions at a node to exceed the PENDING_LIMIT of transactions. While this node was bogged down handling these, it wasn't able to get a consensus message to all the other nodes within the 30 second time. Thus, in this instance, nodes 3302 and 3303 saw the values within the 30 second time, but nodes 3300, 3301 and 3304 did not see these values within the time period. For this test, transactions were only being sent to one node, 3302 or 3303. Since this was the only node proposing txs, the network got stuck, because this node felt those values were all valid and per SCP a node can't change it's mind on voting to nominate a value. Currently the only slot reset mechanism is if a node sees that the other nodes are moving forward in the blockchain without it, then that node will abort a slot attempt and catch up. In this test scenario, only one node was receiving transactions so there was no way for the block to move forward. While less likely, there is potential for this in the real network if one were able to flood transactions to enough nodes and stall them enough such that the necessary quorum considered all other the values invalid due to time out.

We could increase the age out time to something like 5 or 10 minutes, to reduce the likely hood of this event but still allow manual restarts. However, in general I'm thinking we shouldn't allow values to become invalid outside of the blockchain moving forward.

Thanks for digging into this - this makes sense. I think removing that check is acceptable.

The current CI failure is also an interesting one but since it's fog I somehow doubt its related to the changes in this PR. I've re-ran it to see what happens.

nick-mobilecoin · 2023-11-30T18:17:47Z

Ci failures, similar issues have happened

https://github.com/mobilecoinfoundation/mobilecoin/actions/runs/7015015061/job/19083645642?pr=3745 sigabort for overlapping stores
https://github.com/mobilecoinfoundation/mobilecoin/actions/runs/6966440282/job/18956600747?pr=3741 sigabort for overlapping stores

eranrund

LGTM, but we should probably wait for an accepted MCIP before merging.
Thanks for working through this!

consensus/service/src/tx_manager/mod.rs

Co-authored-by: Eran Rundstein <eran@rundste.in>

nick-mobilecoin changed the title ~~Provide proposed timestamp along with tx~~ WIP: Provide proposed timestamp along with tx Nov 20, 2023

nick-mobilecoin changed the title ~~WIP: Provide proposed timestamp along with tx~~ WIP(CI test run): Provide proposed timestamp along with tx Nov 20, 2023

nick-mobilecoin changed the base branch from main to nick/timestamp-on-block November 20, 2023 21:31

nick-mobilecoin force-pushed the nick/scp-timestamp-type branch from 8423ec7 to f3d2171 Compare November 20, 2023 21:31

nick-mobilecoin marked this pull request as ready for review November 20, 2023 21:31

nick-mobilecoin mentioned this pull request Nov 20, 2023

Add timestamp field to Block #3734

Open

nick-mobilecoin changed the title ~~WIP(CI test run): Provide proposed timestamp along with tx~~ Populate timestamp field of Block Nov 20, 2023