Implement Version Upgrade Mechanism #3096
Conversation
paberr
force-pushed
the
pb/upgrade
branch
3 times, most recently
from
cad6edb to
42076ca
Compare
There was a problem hiding this comment.
I wonder if we should somehow support the case of someone not wanting an upgrade. In that case, they should probably not signal support for it — however, this means that they'll get deactivated on a version upgrade. This puts them in a bad spot. Could we maybe add a "I have technical support for this upgrade but I don't like it" flag that allows a validator to vote against an upgrade while not getting deactivated if it does get activated?
|
|
||
| _ => 1, | ||
| } | ||
| } |
There was a problem hiding this comment.
This should probably be a member variable of Policy instead.
|
|
||
| // We propose an upgraded block version only if: | ||
| // - `Policy::UPGRADE_MIN_SUPPORT` of the stake supports the upgrade. | ||
| // - `Policy::TWO_F_PLUS_ONE` slots support the upgrade. |
There was a problem hiding this comment.
Maybe also only upgrade when 80% of the slots support the upgrade? Otherwise, a few slots can successfully reject this proposal.
| validators: None, | ||
| next_batch_initial_punished_set, | ||
| ..Default::default() | ||
| }; |
There was a problem hiding this comment.
Most of this struct can probably be omitted since you specify ..Default::default() anyway.
blockchain/src/blockchain/slots.rs
Outdated
| let txn = txn.or_new(&self.db); | ||
| let staking_contract = self | ||
| .get_staking_contract_if_complete(Some(&txn)) | ||
| .expect("We should always have the staking contract."); |
There was a problem hiding this comment.
| .expect("We should always have the staking contract."); | |
| .expect("We should always have the staking contract"); |
There was a problem hiding this comment.
Is this actually guaranteed? Is there no way for next_validators to be called during state sync?
It feels overly restrictive and obfuscated for this function to require the staking contract to be present this way. I would prefer to have the staking contract as a parameter, making this requirement explicit. All call sites of next_validators have already called get_staking_contract_if_complete before calling next_validators anyways.
blockchain/src/blockchain/slots.rs
Outdated
| let txn = txn.or_new(&self.db); | ||
| let staking_contract = self | ||
| .get_staking_contract_if_complete(Some(&txn)) | ||
| .expect("We should always have the staking contract."); |
There was a problem hiding this comment.
Is this actually guaranteed? Is there no way for next_validators to be called during state sync?
It feels overly restrictive and obfuscated for this function to require the staking contract to be present this way. I would prefer to have the staking contract as a parameter, making this requirement explicit. All call sites of next_validators have already called get_staking_contract_if_complete before calling next_validators anyways.
| @@ -143,6 +143,22 @@ impl Blockchain { | |||
| if let Block::Macro(macro_block) = block { | |||
| // If we don't have the staking contract, there is nothing we can check. | |||
| if let Some(staking_contract) = self.get_staking_contract_if_complete(Some(txn)) { | |||
| // Verify validators. | |||
| let validators = match macro_block.is_election() { | |||
| true => Some(self.next_validators(¯o_block.header.seed, Some(txn))), | |||
There was a problem hiding this comment.
See other comment about the staking contract requirement.
| StakingContractStoreRead::new(data_store) | ||
| .iter_validators() | ||
| .filter_map(|validator| { | ||
| if validator.is_active() && support_check(validator.signal_data) { | ||
| Some(validator.total_stake) | ||
| } else { | ||
| None | ||
| } | ||
| }) | ||
| .sum() |
There was a problem hiding this comment.
Alternatively:
| StakingContractStoreRead::new(data_store) | |
| .iter_validators() | |
| .filter_map(|validator| { | |
| if validator.is_active() && support_check(validator.signal_data) { | |
| Some(validator.total_stake) | |
| } else { | |
| None | |
| } | |
| }) | |
| .sum() | |
| let staking_Contract_read = StakingContractStoreRead::new(data_store); | |
| self.active_validators | |
| .iter() | |
| .filter_map(|(validator_address, stake)| { | |
| let validator_signal_data = staking_contract_read | |
| .get_validator(address) | |
| .expect("Active Validators must be present in the Staking Contract.") | |
| .signal_data; | |
| support_check(validator_signal_data).then_some(*stake) | |
| }) | |
| .sum() |
Should also work. It shifts from going over all validator into going over only active validators and querying their signal data individually. May even be worse, just left it here for consideration.
| @@ -340,7 +340,6 @@ pub struct PolicyConstants { | |||
| pub coinbase_address: String, | |||
| pub transaction_validity_window: u32, | |||
| pub max_size_micro_body: usize, | |||
| pub version: u16, | |||
There was a problem hiding this comment.
This seems useful, why was it removed? Maybe rename it to max_supported_version?
| // - `Policy::TWO_F_PLUS_ONE` slots support the upgrade. | ||
| if supporting_slots >= Policy::TWO_F_PLUS_ONE | ||
| && u64::from(supporting_stake) * 100 / u64::from(total_active_stake) | ||
| >= Policy::UPGRADE_MIN_SUPPORT as u64 |
There was a problem hiding this comment.
Maybe that constant should be a u64 to begin with.
Add function for supporting slots
Produce upgraded blocks after gathering enough support
Implement upgrade test Add block tests Add accounts tree tests and fix block number Test creation of inherent
What's in this pull request?
This PR implements the mechanism to carry out breaking changes (version upgrades) after launch.
It mostly follows the specification in the Albatross paper with one exception:
We will not only check for the proportion of stake supporting the upgrade, but also for the proportion of slots supporting the upgrade. This makes sure we don't propose an upgrade in an epoch where less than 2f+1 elected validators support the upgrade.
Mechanism Overview
The version upgrade mechanism introduces the following key changes, discussed in a bit more detail below:
Block validity
The version number is stored in every block. We allow version upgrades only in election blocks.
Instead of checking against a constant version from the
Policy, block-level verification of the version is now split into two parts:Block::verify_header: Making sure that the version is always below or equal to the maximum supported versionPolicy::max_supported_version(network_id). The maximum supported version depends on the network, so that we can roll out changes in the testnet first.Block:: verify_immediate_successorandBlock::verify_macro_successor: Making sure that the version number can only increase in election blocks and only in steps of one. For all other scenarios, the version needs to match the predecessor's version. We test this in both functions as these are called in different scenarios.Helper functions
We only perform version upgrades when at least
Policy:: UPGRADE_MIN_SUPPORT% of the active stake signals support for the upgrade and when at leastPolicy::TWO_F_PLUS_ONEslots of the currently elected validators signals support.We add helper functions to determine the supporting stake and slots.
The
get_supporting_stakefunction is computationally expensive in that it iterates over all validators in the staking contract. This number is bounded by the validator deposit and we only call the function when proposing an election block and not being on the maximum version already.Currently, the support for a version is signalled by encoding the supported version in the first two bytes of the validator's signal data (in big-endian). This can still be changed later and be implemented version-specific in the
Policy::supports_upgradefunction.We also add a function to deactivate unsupportive stake, which is discussed in the section about the new inherent.
Producing an upgrade
Validators who updated their client and have a maximum supported version higher than the current blockchain's version (determined from the head block) will determine support for this upgrade whenever they are the ones to produce a macro proposal. Only when the conditions (
supporting_stake >= Policy:: UPGRADE_MIN_SUPPORT * active stake && supporting_slots > Policy::TWO_F_PLUS_ONE) are met, the proposal will contain the increased version number. If the proposal is accepted, the upgrade is successfully active from this block on (including this election block).There is no explicit check for validators to only vote for a block if they support the upgrade. If they updated their client and have a new maximum supported version, the proposal will be deemed valid and voted for. Validators not supporting the upgrade won't update their clients and will reject the proposal due to an invalid version.
Version upgrade inherent
The mechanism adds a new inherent
VersionUpgradethat also has the new version. It has the side effect of deactivating all validators that did not explicitly signal support for the new version with immediate effect. This also means that these unsupporting validators should not be selected for the next epoch (thus preventing possible stalls).Full nodes will apply this side-effect through trie-diffs. The inherent is not stored in the history and thus does not require any special handling.
Switching validator selection and accounts commit
In the current model, we first select the validators for the next epoch (based on the current staking contract) and then apply the accounts changes of an election block. The only accounts changes possible in an election block right now are: reward distribution and preparing the bitsets in the staking contract for the next epoch.
Since none of these have an effect on the validator selection, we switch the order of these two. This is required so that unsupporting validators are deactivated before the validator selection.
Tests
This PR includes unit tests in the following crates:
validator: Testing that the validator will propose an election block with a new version if the conditions are met.block: Testing the new validity rules.staking_contract: Testing correct computation of stake/slot support and correct handling of inherent.blockchain: Testing that the blockchain correctly emits the new inherent.Pull request checklist
clippyandrustfmtwarnings.