Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(consensus): fix the hashes-in-blocks feature implementation #3529

Merged
merged 3 commits into from
Jan 22, 2025
Merged

fix(consensus): fix the hashes-in-blocks feature implementation #3529

merged 3 commits into from
Jan 22, 2025

Conversation

kpop-dfinity
Copy link
Contributor

@kpop-dfinity kpop-dfinity commented Jan 20, 2025
edited
Loading

Problem

Currently, with the feature flag enabled, when a node sends a block proposal to their peers it first removes all the ingress messages from the block's payload, leaving behind only the IngressMessageIds which identify the ingress messages. When a node receives such a "stripped" block proposal it reconstructs the block by retrieving the referenced ingress messages from:

  1. either their local ingress pools if there exists an ingress message with the given IngressMessageId there,
  2. or by requesting the missing ingress messages from peers who are advertising the block.

The problem with the approach is that the IngressMessageIds do not uniquely identify the the ingress messages and two ingresses with the same content but with different signatures have the same id. We thus could end up in a situation where peers reconstruct blocks different than what the block maker created.

Note

The feature is disabled on the Mainnet so no subnet is currently affected by the issue

Proposal

To address this problem we introduce a new type SignedIngressId (which contains both IngressMessageId and the hash of a original ingress message bytes) which uniquely identifies a SignedIngress, which is used only within the the block proposal assembler module. Everything else remains basically the same but we add several checks to make sure we put the correct ingress message in the block:

  1. when retrieving ingress messages from ingress pools by IngressMessageIds we double check that the SignedIngressId of the ingress message matches what we are expecting;
  2. same for when we get an ingress message from a peer.

Alternatives considered

Instead of introducing a new type, we could modify the existing IngressMessageId so that it uniquely identifies ingress messages.

disadvantages over the proposed solution:

  1. without any changes to the ingress pool we would end up with duplicates of the same ingress messages (but different signatures) in the pool & which would be further broadcasted to the other peers
  2. the duplication detection in the ingress selector would have to be modified
  3. computing IngressMessageId would be more expensive and we currently do it quite often
  4. the change would affect multiple more components

advantages over the proposed solution:

  1. in some corner-case situations in the proposed solution a node might have to fetch more ingress message from their peers

@github-actions github-actions bot added the fix label Jan 20, 2025
@kpop-dfinity kpop-dfinity changed the title fix(consensus): fix hashes-in-blocks feature fix(consensus): fix the hashes-in-blocks feature implementation Jan 20, 2025
@kpop-dfinity kpop-dfinity marked this pull request as ready for review January 20, 2025 18:04
@kpop-dfinity kpop-dfinity requested review from a team as code owners January 20, 2025 18:04
derlerd-dfinity
derlerd-dfinity approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@derlerd-dfinity derlerd-dfinity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interface changes LGTM.

rs/p2p/artifact_downloader/src/fetch_stripped_artifact/assembler.rs Show resolved Hide resolved
@derlerd-dfinity
Copy link
Contributor

One more thing that just crossed my mind: IIRC SignedIngress has more fields than the bytes we include in the hash. Can we somewhere document why it is safe to exclude these fields?

@kpop-dfinity
Copy link
Contributor Author

One more thing that just crossed my mind: IIRC SignedIngress has more fields than the bytes we include in the hash. Can we somewhere document why it is safe to exclude these fields?

Sure, I'll add a comment to the type definition

@kpop-dfinity kpop-dfinity added this pull request to the merge queue Jan 22, 2025
Merged via the queue into master with commit 6d3c488 Jan 22, 2025
26 checks passed
@kpop-dfinity kpop-dfinity deleted the kpop/fix_hashes branch January 22, 2025 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derlerd-dfinity derlerd-dfinity derlerd-dfinity approved these changes

@eichhorl eichhorl eichhorl approved these changes

@yvonneanne yvonneanne yvonneanne approved these changes

Assignees
No one assigned
Labels
@consensus fix @ic-interface-owners
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kpop-dfinity @derlerd-dfinity @yvonneanne @eichhorl