Upon receiving +2/3 `nil` precommits, the consensus state-machine does not proceed to the step `Propose(H,R+1)` as specified in the documentation, instead it waits for a timeout

[BrendanChou]

Bug Report

Setup

CometBFT version:v0.37.0 but also on main at time of writing. Code links are to v0.37.x in order to illustrate the issue.

Have you tried the latest version: yes

ABCI app N/A

Environment: N/A

node command runtime flags: N/A

What happened?

A validator took a long time to sync to a high round number.

This has downstream effects that I haven't formally proven. For example I suspect that it could be impossible (or at least very slow, only able to catch-up during the precommit step) for a validator to catch up to the latest round number in the case that +2/3 of other validators are online and incrementing the round number.

While there are theoretically ways (in the algorithm) for the validator to skip to future rounds once they see +2/3 prevotes or precommits for those future rounds, in-reality the validator may be reading serially from the consensus WAL which means they need to process all prior messages before processing newer (read: higher-round) messages. Due to the incorrect forcing of waiting for the timeout period, the serialization in slowed considerably and the validator cannot process the latest messages in a timely manner. Furthermore, this extends to the chain resuming increasing in height. If processing a long WAL backlog, the validator would be slow to catch up to the latest height because it would be waiting for timeouts on rounds from previous heights.

What did you expect to happen?

The validator should sync to the latest round pretty fast after being gossiped (or reading from WAL) +2/3 nil precommits on every round before the latest.

How to reproduce it

Reproduced by halting a chain with several completed rounds of +2/3 nil precommits. This could be done by, for example, hacking the code to reject all block proposals.

Then, restart a validator node at the latest height and round 0. It will take a long time to sync to the highest round because it will always timeout in the Precommit step even after seeing +2/3 nil precommits. Instead it should proceed directly to the next round.

This is further exacerbated by the increasing timeout periods that increase linearly per round, leading to the consumption of round^2 when trying to catch up to the latest round.

Where is the code

The incorrect code seems to be here

The spec can be found here

PR where this code was introduced. Some comment on that PR that this should be changed.

[cason]

The implementation indeed does not match the referenced spec, namely https://github.com/cometbft/cometbft/blob/v0.37.x/spec/consensus/consensus.md?plain=1#L184.

But in this case the implementation matches the pseudo-code on Tendermint consensus (https://arxiv.org/abs/1807.04938), which always requires a timeout precommit for moving to the next round.

This behavior was not introduced by the referred PR (tendermint/tendermint#2540). Notice that the code before this PR also instructed the node to wait for timeout precomit before moving to the next round, in the case 2/3+ Precommits for nil were received.

[cason]

I am not sure whether this is a bug.

The spec wrongly report this state transition (2/3+ Precommits for nil -> new round), that is not implemented in any version of CometBFT. It has to be investigated if it was even implemented in some previous version of the code. The simplest way to address this issue is to correct the spec, so that it matches the algorithm pseudo-code and the the consensus protocol implementation.

At the same time, we should consider the optimization of skipping timeout precommit when no block block can receive a polka (2/3+ Prevotes) during a round, this is a performance improvement. Notice that the role of the timeout precommit is to enable a node to update its validValue and validRound in the case a polka could be observed by a correct node. A node that sees a polka, locks into that value. The role of the timeout precommit is to enable correct nodes that haven't locked into a value to update their valid* fields, namely, to be aware that a value could have been locked by correct nodes during the round.

[BrendanChou]

Notice that the code before this PR also instructed the node to wait for timeout precomit before moving to the next round, in the case 2/3+ Precommits for nil were received.

I'm not seeing what you're seeing, could you link to the exact line in the PR?

But in this case the implementation matches the pseudo-code on Tendermint consensus (https://arxiv.org/abs/1807.04938), which always requires a timeout precommit for moving to the next round.

I agree that in the case of +2/3 nil votes, the pseudo-code forces a timeout. However, we should probably align on if we are expected to still follow this document. The spec is 1 year newer. In addition, there are already instances where the spec is followed over the whitepaper. For instance, timeoutCommit is in the spec but not the whitepaper (and is also implemented in the code)

[cason]

So, before PR tendermint/tendermint#2540, the code in case of 2/3+ Precommits was:

blockID, ok := precommits.TwoThirdsMajority()
if ok && len(blockID.Hash) != 0 {
   ...
} else if cs.Round <= vote.Round && precommits.HasTwoThirdsAny() {
   ...
   cs.enterPrecommitWait(height, vote.Round)
}

Source: https://github.com/cometbft/cometbft/blame/e1538bf67ea5122b0add392e93bd2a3ea73dee69/consensus/state.go#L1645

So, in case of 2/3+ Precommits for nil, we have TwoThirdsMajority and HasTwoThirdsAny, meaning that the else clause is executed, instructing the note to schedule a precommit_timeout.

[BrendanChou]

Isn't it the case that the else if clause is NOT executed typically because of the cs.Round <= vote.Round requirement?

[cason]

The main condition to be considered in this code excerpt is having 2/3+ Precommits for some value. When this is not the case, or until this is not the case, none of the blocks (if or else) should be executed.

The first block (the if) considers the good case, when we have a decision. The second block (the else if) considers the bad case, when a round does not succeed in deciding a value. This happens when we either have 2/3+ Precommits for nil, or for distinct values. In both cases, we have to schedule a timeout event that will get us out of the current round. We also do the same when the votes refer to a future round. We don't do that when the votes refer to a previous round, since we already conclude its execution.