Verify snapshot slot deltas #26666
Verify snapshot slot deltas #26666
Conversation
runtime/src/snapshot_utils.rs
Outdated
| } | ||
|
|
||
| // all entries should be for slots less than or equal to the bank's slot | ||
| if *slot > bank_slot { |
There was a problem hiding this comment.
could you also verify lower bound of *slot with picking a valid offset after reading the relevant bank code?
There was a problem hiding this comment.
could you also verify lower bound of
*slotwith picking a valid offset after reading the relevant bank code?
I need to step away from my computer now; I did look through the status cache code and only saw the limits on the total number of entries (status_cache::MAX_CACHE_ENTRIES), but did not see a minimum slot check. This makes sense to me, as slots are not guaranteed to be rooted, right? Is there a minimum slot check somewhere else that you were thinking of and could point me to? TIA
There was a problem hiding this comment.
Is there a minimum slot check somewhere else that you were thinking of and could point me to?
@brooksprumo (sorry for delayed review...)
hmm, there should be none atm. that's the reason snapshot code isn't well guarded in general. and you're helping remedying the situation, sounds cool. :)
come to think of it, you can compare against the slot history sysvar. For sample, see adjust_lockouts_after_replay (btw, one of my proud robust code is here, lol. fyi, it has unfixed really special case insignificant bug still...):
Line 1162 in ad0acaa
Referencing sysvars for snapshot sanitization is the general direction, which I'd like to see. And, putting more deta onto chain as new sysvars as well. so that we have moar trusted (voted) on chain data for internal bank state sanitization. maybe eventually all. :)
Using the slot history sysvar, you can compute precise block height, thus lower bound in terms of slot number by looping over the sysvar MAX_CACHE_ENTRIES times.
Also, you can now validate whether the given slot delta for a slot is actually for a skipped block or not. And more, you can detect any missing slot delta which should exist actually according to the slot history sysvar.
did not see a minimum slot check. This makes sense to me, as slots are not guaranteed to be rooted, right?
hmm, there is no minimum slot check for lack of manpower. and it should be unrelated to another fact that slots aren't rooted always. What links these things together in your mind?
There was a problem hiding this comment.
you can compare against the slot history sysvar.
Ah, very cool! Thanks for the pointer.
Referencing sysvars for snapshot sanitization is the general direction, which I'd like to see. And, putting more deta onto chain as new sysvars as well. so that we have moar trusted (voted) on chain data for internal bank state sanitization. maybe eventually all. :)
Love this idea!
Using the slot history sysvar, you can compute precise block height, thus lower bound in terms of slot number by looping over the sysvar
MAX_CACHE_ENTRIEStimes.Also, you can now validate whether the given slot delta for a slot is actually for a skipped block or not. And more, you can detect any missing slot delta which should exist actually according to the slot history sysvar.
I've pushed a commit that attempts to do this. Thanks for the suggestion!
did not see a minimum slot check. This makes sense to me, as slots are not guaranteed to be rooted, right?
hmm, there is no minimum slot check for lack of manpower. and it should be unrelated to another fact that slots aren't rooted always. What links these things together in your mind?
This was me saying that the SlotHistory may have entries for slots [10, 11, 12, 13, 18, 19, 20], because slots 14-17 were either never produced or were on a bad fork. Same for slot deltas. So the lowest slot number in the slot deltas cannot be calculated simply as bank.slot() - MAX_CACHE_ENTRIES.
|
@brooksprumo sorry for late review... i added some improvement suggestions. let's make status cache robust together. :) |
|
@ryoqun Ok! This PR is ready for another review. |
brooksprumo
force-pushed
the
status-cache/verify
branch
from
889aa07 to
9c93e97
Compare
|
Had to rebase onto newer master due to serde rust security issue. Should be ready for another review! |
Done! Verification was successful for both a freshly downloaded mnb snapshot, and one created with ledger-tool. |
* refactor: extract store_stake_accounts fn * refactor: extract store_vote_account fn * refactor: extract reward history update fn * remove avg point value from pay_valiator fn. not used * clippy: slice * clippy: slice * remove abort() from test-validator (#27124) * chore: bump bytes from 1.1.0 to 1.2.1 (#27172) * chore: bump bytes from 1.1.0 to 1.2.1 Bumps [bytes](https://github.com/tokio-rs/bytes) from 1.1.0 to 1.2.1. - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.1.0...v1.2.1) --- updated-dependencies: - dependency-name: bytes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * [auto-commit] Update all Cargo lock files Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-buildkite <dependabot-buildkite@noreply.solana.com> * Share Ancestors API get with contains_key (#27161) consolidate similar fns * Rename to `MAX_BLOCK_ACCOUNTS_DATA_SIZE_DELTA` (#27175) * chore: bump libc from 0.2.129 to 0.2.131 (#27162) * chore: bump libc from 0.2.129 to 0.2.131 Bumps [libc](https://github.com/rust-lang/libc) from 0.2.129 to 0.2.131. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](rust-lang/libc@0.2.129...0.2.131) --- updated-dependencies: - dependency-name: libc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * [auto-commit] Update all Cargo lock files Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-buildkite <dependabot-buildkite@noreply.solana.com> * reverts wide fanout in broadcast when the root node is down (#26359) A change included in #20480 was that when the root node in turbine broadcast tree is down, the leader will broadcast the shred to all nodes in the first layer. The intention was to mitigate the impact of dead nodes on shreds propagation, because if the root node is down, then the entire cluster will miss out the shred. On the other hand, if x% of stake is down, this will cause 200*x% + 1 packets/shreds ratio at the broadcast stage which might contribute to line-rate saturation and packet drop. To avoid this bandwidth saturation issue, this commit reverts that logic and always broadcasts shreds from the leader only to the root node. As before we rely on erasure codes to recover shreds lost due to staked nodes being offline. * add getTokenLargestAccounts rpc method to rust client (#26840) * add get token largest accounts rpc call to client * split to include with commitment * Bump spl-token-2022 (#27181) * Bump token-2022 to 0.4.3 * Allow cargo to bump stuff to v1.11.5 * VoteProgram.safeWithdraw function to safeguard against accidental vote account closures (#26586) feat: safe withdraw function Co-authored-by: aschonfeld <andrew@proofofalpha.io> * chore: bump futures from 0.3.21 to 0.3.23 (#27182) * chore: bump futures from 0.3.21 to 0.3.23 Bumps [futures](https://github.com/rust-lang/futures-rs) from 0.3.21 to 0.3.23. - [Release notes](https://github.com/rust-lang/futures-rs/releases) - [Changelog](https://github.com/rust-lang/futures-rs/blob/master/CHANGELOG.md) - [Commits](rust-lang/futures-rs@0.3.21...0.3.23) --- updated-dependencies: - dependency-name: futures dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * [auto-commit] Update all Cargo lock files Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-buildkite <dependabot-buildkite@noreply.solana.com> * chore: bump nix from 0.24.2 to 0.25.0 (#27179) * chore: bump nix from 0.24.2 to 0.25.0 Bumps [nix](https://github.com/nix-rust/nix) from 0.24.2 to 0.25.0. - [Release notes](https://github.com/nix-rust/nix/releases) - [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md) - [Commits](nix-rust/nix@v0.24.2...v0.25.0) --- updated-dependencies: - dependency-name: nix dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * [auto-commit] Update all Cargo lock files Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-buildkite <dependabot-buildkite@noreply.solana.com> * Parse ConfidentialTransaction instructions (#26825) Parse ConfidentialTransfer instructions * snapshots: serialize version file first (#27192) serialize version file first * serialize incremental_snapshot_hash (#26839) * serialize incremental_snapshot_hash * pr feedback * derives Error trait for ClusterInfoError and core::result::Error (#27208) * Add clean_accounts_for_tests() (#27200) * Rust v1.63.0 (#27148) * Upgrade to Rust v1.63.0 * Add nightly_clippy_allows * Resolve some new clippy nightly lints * Increase QUIC packets completion timeout Co-authored-by: Michael Vines <mvines@gmail.com> * docs: updated "transaction fees" page (#26861) * docs: transaction fees, compute units, compute budget * docs: added messages definition * Revert "docs: added messages definition" This reverts commit 3c56156. * docs: added messages definition * Update docs/src/transaction_fees.md Co-authored-by: Jacob Creech <82475023+jacobcreech@users.noreply.github.com> * fix: updates from feedback Co-authored-by: Jacob Creech <82475023+jacobcreech@users.noreply.github.com> * sdk: Fix args after "--" in build-bpf and test-bpf (#27221) * Flaky Unit Test test_rpc_subscriptions (#27214) Increase unit test timeout from 5 seconds to 10 seconds * chore: only buildkite pipelines use sccache in docker-run.sh (#27204) chore: only buildkite ci use sccache * clean feature: `prevent_calling_precompiles_as_programs` (#27100) * clean feature: prevent_calling_precompiles_as_programs * fix tests * fix test * remove comment * fix test * feedback * Add get_account_with_commitment to BenchTpsClient (#27176) * Fix a corner-case panic in get_entries_in_data_block() (#27195) #### Problem get_entries_in_data_block() panics when there's inconsistency between slot_meta and data_shred. However, as we don't lock on reads, reading across multiple column families is not atomic (especially for older slots) and thus does not guarantee consistency as the background cleanup service could purge the slot in the middle. Such panic was reported in #26980 when the validator serves a high load of RPC calls. #### Summary of Changes This PR makes get_entries_in_data_block() panic only when the inconsistency between slot-meta and data-shred happens on a slot older than lowest_cleanup_slot. * Verify snapshot slot deltas (#26666) * store-tool: log lamports for each account (#27168) log lamports for each account * add an assert for a debug feature to avoid wasted time (#27210) * remove redundant call that bumps age to future (#27215) * Use from_secs api to create duration (#27222) use from_secs api to create duration * reorder slot # in debug hash data path (#27217) * create helper fn for clarity (#27216) * Verifying snapshot bank must always specify the snapshot slot (#27234) * Remove `Bank::ensure_no_storage_rewards_pool()` (#26468) * cli: Add subcommands for address lookup tables (#27123) * cli: Add subcommand for creating address lookup tables * cli: Add additional subcommands for address lookup tables * short commands * adds hash domain to ping-pong protocol (#27193) In order to maintain backward compatibility, for now the responding node will hash the token both with and without domain so that the other node will accept the response regardless of its upgrade status. Once the cluster has upgraded to the new code, we will remove the legacy domain = false case. * Revert "Rust v1.63.0 (#27148)" (#27245) This reverts commit a2e7bdf. * correct double negation (#27240) * Enable QUIC client by default. Add arg to disable QUIC client. (Forward port #26927) (#27194) Enable QUIC client by default. Add arg to disable QUIC client. * Enable QUIC client by default. Add arg to disable QUIC client. * Deprecate --disable-quic-servers arg * Add #[ignore] annotation to failing tests * slots_connected: check if the range is connected (>= ending_slot) (#27152) * create-snapshot check if snapshot slot exists (#27153) * Add Bank::clean_accounts_for_tests() (#27209) * Call `AccountsDb::shrink_all_slots()` directly (#27235) * add ed25519_program to built-in instruction cost list (#27199) * add ed25519_program to built-in instruction cost list * Remove unnecessary and stale comment * simple refactorings to disk idx (#27238) * add _inclusive for clarity (#27239) * eliminate unnecessary ZERO_RAW_LAMPORTS_SENTINEL (#27218) * make test code more clear (#27260) * banking stage: actually aggregate tracer packet stats (#27118) * aggregated_tracer_packet_stats_option was alwasys None * Actually accumulate tracer packet stats * Refactor epoch reward 1 (#27253) * refactor: extract store_stake_accounts fn * clippy: slice Co-authored-by: haoran <haoran@mbook> * recovers merkle shreds from erasure codes (#27136) The commit * Identifies Merkle shreds when recovering from erasure codes and dispatches specialized code to reconstruct shreds. * Coding shred headers are added to recovered erasure shards. * Merkle tree is reconstructed for the erasure batch and added to recovered shreds. * The common signature (for the root of Merkle tree) is attached to all recovered shreds. * Simplify `Bank::clean_accounts()` by removing params (#27254) * Account files remove (#26910) * Create a new function cleanup_accounts_paths, a trivial change * Remove account files asynchronously * Update and simplify the implementation after the validator test runs. * Fixes after testing on the dev device * Discard tokio. Use thread instead * Fix comments format * Fix config type to pass the github test * Fix failed tests. Handle the case of non-existing path * Final cleanup, addressing the review comments Avoided OsString. Made the function more generic with "impl AsRef<Path>" Co-authored-by: Jeff Washington <jeff.washington@solana.com> * Refactor: Flattens `TransactionContext::instruction_trace` (#27109) * Flattens TransactionContext::instruction_trace. * Stop the search at transaction level. * Renames get_instruction_context_at => get_instruction_context_at_nesting_level. * Removes TransactionContext::get_instruction_trace(). Adds TransactionContext::get_instruction_trace_length() and TransactionContext::get_instruction_context_at_index(). * Have TransactionContext::instruction_accounts_lamport_sum() accept an iterator instead of a slice. * Removes instruction_trace from ExecutionRecord. * make InstructionContext::new() private * Parallel insertion of dirty store keys during clean (#27058) parallelize dirty store key insertion * Refactor epoch reward 2 (#27257) * refactor: extract store_stake_accounts fn * refactor: extract store_vote_account fn * clippy: slice * clippy: slice * fix merge error Co-authored-by: haoran <haoran@mbook> * Standardize thread names Tenets: 1. Limit thread names to 15 characters 2. Prefix all Solana-controlled threads with "sol" 3. Use Camel case. It's more character dense than Snake or Kebab case * cleanup comment on filter_zero_lamport_clean_for_incremental_snapshots (#27273) * remove inaccurate log (#27255) * patches metrics for invalid cached vote/stake accounts (#27266) patches invalid cached vote/stake accounts metrics Invalid cached vote accounts is overcounting actual mismatches, and invalid cached stake accounts is undercounting. * Refactor epoch reward 3 (#27259) * refactor: extract store_stake_accounts fn * refactor: extract store_vote_account fn * refactor: extract reward history update fn * clippy: slice * clippy: slice Co-authored-by: haoran <haoran@mbook> * fix merges Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: haoran <haoran@mbook> Co-authored-by: Jeff Biseda <jbiseda@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-buildkite <dependabot-buildkite@noreply.solana.com> Co-authored-by: Brooks Prumo <brooks@solana.com> Co-authored-by: behzad nouri <behzadnouri@gmail.com> Co-authored-by: AJ Taylor <anthonjtaylor@gmail.com> Co-authored-by: Tyera Eulberg <tyera@solana.com> Co-authored-by: Andrew Schonfeld <andrew.schonfeld1@gmail.com> Co-authored-by: aschonfeld <andrew@proofofalpha.io> Co-authored-by: apfitzge <apfitzge@users.noreply.github.com> Co-authored-by: Jeff Washington (jwash) <wash678@gmail.com> Co-authored-by: Brennan Watt <brennan.watt@solana.com> Co-authored-by: Michael Vines <mvines@gmail.com> Co-authored-by: Nick Frostbutter <75431177+nickfrosty@users.noreply.github.com> Co-authored-by: Jacob Creech <82475023+jacobcreech@users.noreply.github.com> Co-authored-by: Jon Cinque <jon.cinque@gmail.com> Co-authored-by: Yihau Chen <a122092487@gmail.com> Co-authored-by: Justin Starry <justin@solana.com> Co-authored-by: kirill lykov <kirill.lykov@solana.com> Co-authored-by: Yueh-Hsuan Chiang <93241502+yhchiang-sol@users.noreply.github.com> Co-authored-by: leonardkulms <42893075+leonardkulms@users.noreply.github.com> Co-authored-by: Will Hickey <will.hickey@solana.com> Co-authored-by: Tao Zhu <82401714+taozhu-chicago@users.noreply.github.com> Co-authored-by: Xiang Zhu <xzhu70@gmail.com> Co-authored-by: Jeff Washington <jeff.washington@solana.com> Co-authored-by: Alexander Meißner <AlexanderMeissner@gmx.net>
(cherry picked from commit d2868f4)
(cherry picked from commit d2868f4) # Conflicts: # runtime/src/snapshot_utils.rs
Problem
The snapshot slot deltas are not really verified before reconstructing the status cache.
There's not a ton of verification to do here without needing to add really full-blown verification, but there is some low hanging fruit.
Summary of Changes
Verify the snapshot slot deltas before reconstructing the status cache.
PR Tasks
meta issue: #7167