db/state: merge schedule non-determinism across nodes — impacts decentralized snapshot distribution

[mh0lt]

Problem

The aggregator merge schedule is not fully deterministic across nodes. Two nodes at the same step can have different file layouts due to:

1. Preverified legacy accommodation: getMergeLimit() in snap_repo.go adjusts merge limits based on preverified files, which differ across binary releases
2. Cross-domain coordination: commitment domain must wait for accounts/storage to merge first. Interrupted merges leave divergent intermediate states
3. Two merge code paths: aggregator.go (old, active) vs forkable_agg.go/snap_repo.go (new) with different merge logic

Why this matters

Decentralized snapshot distribution (#19660) requires nodes to compare what files they have. If the merge schedule is deterministic, two honest nodes at the same step produce identical files with identical torrent hashes — enabling direct hash comparison and threshold consensus (#19658).

If non-deterministic, we need structural range-coverage comparison instead of hash comparison, which is significantly more complex and weakens the trust model.

Current merge schedule

The bit-manipulation schedule (endStep & -endStep) is inherently deterministic:

Step  8: [0-8)
Step 12: [0-8) [8-12)
Step 16: [0-16)
Step 24: [0-16) [16-24)
Step 32: [0-32)

But it's perturbed by:

• maxSpan cap from stepsInFrozenFile (configurable via erigondb.toml)
• getMergeLimit() returning larger sizes when preverified files exist
• Commitment domain holding merges until accounts/storage catch up

Example of divergence

Node A (clean run):

v1.0-accounts.0-4096.kv    (deep merge)
v1.0-accounts.4096-4224.kv (128 steps)
v1.0-accounts.4224-4232.kv (8 steps)

Node B (interrupted merge, restarted):

v1.0-accounts.0-2048.kv    (partial deep merge)
v1.0-accounts.2048-4096.kv
v1.0-accounts.4096-4224.kv
v1.0-accounts.4224-4232.kv

Both cover steps 0-4232 but with different file boundaries and torrent hashes.

Proposed resolution

Make the merge schedule purely deterministic: given (step, MergeStages config), the expected file layout is computable. On startup, identify missing merges and execute them to converge to the canonical layout.

This would mean:

• All nodes at the same step produce identical files
• chain.toml can use hash comparison (simple, torrent-compatible)
• Threshold consensus works (same hash = agreement)
• UCAN can sign (chain, step) tuples — layout is implied

Alternative

Accept non-determinism and use structural range-coverage comparison in chain.toml. Files are compared by step range, not hash. More complex, weaker trust model.

Blocking

This decision blocks the chain.toml V2 format design (#19660) — the format differs depending on whether we can assume deterministic layouts.

Related issues

• Decentralized snapshot distribution via discv5 + BitTorrent #19660 — Decentralized snapshot distribution (umbrella)
• Decentralized snapshot distribution: POC — ENR + BitTorrent flow #19657 — POC
• Decentralized snapshot distribution: Statistical trust via threshold consensus #19658 — Statistical trust (threshold consensus)
• Decentralized snapshot distribution: Identity trust via UCAN delegation #19659 — Identity trust (UCAN)

[mh0lt]

Evidence: merge skip followed by catch-up burst

From actual qmtree root files on a running mainnet sync:

3328-3456   (128 steps)
3456-3488   (32 steps)
3488-3504   (16 steps)
3504-3512   (8 steps)
3512-3516   (4 steps)
3516-3518   (2 steps)
3518-3519   (1 step)    ← merges stop here
3519-3520   (1 step)    ← should have been [3456-3520) = 64-step merge
...32 consecutive single-step files...
3551-3552   (1 step)
3552-3568   (16 steps)  ← merges resume with catch-up
3568-3576   (8 steps)
3576-3580   (4 steps)
3584-3840   (256 steps) ← big catch-up merge
3840-3968   (128 steps)
3968-4032   (64 steps)

At step 3520 the deterministic schedule predicts a 64-step merge [3456-3520) but instead we get a single-step file. Merges were blocked for 32 steps, then a burst of catch-up merges produced the 3584-3840 (256-step) file.

This means:

• The file layout diverges from the deterministic schedule during merge stalls
• Catch-up merges produce different intermediate states depending on when/how the stall is resolved
• Two nodes experiencing different stall durations will have different file layouts at the same step

[mh0lt]

Root cause: merge loop falls behind during fast sync

The merge algorithm assumes it can keep up with step production. During initial sync (20+ blocks/sec), steps complete faster than deep merges can run. Small files pile up in a backlog, and when the merge loop catches up it finds a non-ideal layout.

This isn't qmtree-specific — affects all domains during initial sync. After sync reaches chain tip (1 block/12s), the merge loop has time to converge. But the initial sync window leaves an irregular file layout.

Impact on distribution:

• Freshly synced node: irregular layout (merge backlog artefact)
• Long-running node: cleaner layout (merge loop has caught up)
• Two nodes synced at different times: different layouts at the same step

Possible approaches:

1. Post-sync merge pass — run merge to convergence before publishing chain.toml
2. Only publish files at canonical merge boundaries in chain.toml (unmerged tail is local-only)
3. Accept non-determinism, use structural range-coverage comparison

Options 1-2 mean chain.toml only advertises "converged" files where hash comparison works. The unmerged tail near chain tip is excluded from P2P distribution.

[mh0lt]

Resolution direction: deterministic canonical layout + convergent merge

1. Define the canonical file layout function:

Given (step, MergeStages), compute the expected file set. This is the power-of-2 bit-manipulation schedule WITHOUT the maxSpan cap or preverified accommodation:

CanonicalLayout(step=4096) → [0-4096)
CanonicalLayout(step=4100) → [0-4096) [4096-4100) as 4 single files
CanonicalLayout(step=4104) → [0-4096) [4096-4104) as merged 8-step

The last element of MergeStages defines the deepest merge. Everything up to that boundary should be fully merged. The tail (steps past the last full merge) follows the standard bit schedule.

2. Fix the merge loop — convergent mode:

Instead of one opportunistic merge per cycle:

• Compute canonical layout for current step
• Diff against actual files on disk
• Execute all missing merges in order (deepest first) to converge
• This is idempotent: running it again produces no changes

On initial sync, the merge loop will fall behind — that's fine. But once sync slows down (at chain tip or after sync completes), the convergent merge runs until the layout matches the canonical target.

3. chain.toml only contains canonical files:

A file is only listed in chain.toml if it matches a canonical merge boundary. The unmerged tail near the chain tip is excluded — it's local working state, not distributable.

This means chain.toml content is deterministic: (chain, step) → canonical files → deterministic hashes → deterministic chain.toml.

4. Backward compatibility:

• getMergeLimit's preverified accommodation becomes unnecessary once all nodes converge to the canonical schedule
• Existing nodes with non-canonical layouts run the convergent merge on next startup
• Preverified files at non-canonical boundaries are treated as legacy and re-merged

[wmitsuda]

stepsInFrozenFile is configurable, but in practice it is static, predefined in our snapshotters. It used to be a hard coded constant, now it is a externalized constant, because tooling may change it (now it is only step rebase, but I predict in future we want to have more tooling to evolve snapshots geometry).

but I don't think it impacts merge determinism, because all nodes synced from our snapshotters will have the same setting unless manually changed (regular users shouldn't know what such thing is and are not expected to touch it). And I don't expect us rolling out changes to it during the same minor/bugfix Erigon release.

About the merging schedule, AFAIK it IS deterministic, but EVENTUALLY deterministic. e.g., on bloatnet I've seen many 1 step files accumulating because our merging is not optimized for such load (that's fine, we found a bottleneck on bloatnet, hence the experiment is serving its purpose), but if given enough time/resources, it should merge correctly into the correct grouping.

[wmitsuda]

have you seen evidence of 2 nodes producing let's say, [0-64) step range file sets with different contents?

[VBulikov]

yperbasis added Imp2 as Importance