op-node: Support multiple ELSync runs

[pcw109550]

To remove ReqRes P2P sync (RRSync) and replace the functionality it provides with the ELSync, we must make sure that the L2CL pushes forward to the L2EL the unsafe payloads that it receives, rather than just add them to its payloads heap within the EngineController.

So when we start with sync.CLSync, or sync.ELSync with initial EL Sync done,

func (s *SyncDeriver) OnUnsafeL2Payload(ctx context.Context, envelope *eth.ExecutionPayloadEnvelope) {
	// If we are doing CL sync or done with engine syncing, fallback to the unsafe payload queue & CL P2P sync.
	if s.SyncCfg.SyncMode == sync.CLSync || !s.Engine.IsEngineSyncing() {
		s.Log.Info("Optimistically queueing unsafe L2 execution payload", "id", envelope.ExecutionPayload.ID())
		s.Engine.AddUnsafePayload(ctx, envelope)
	} else if s.SyncCfg.SyncMode == sync.ELSync {
...

The op-node will queue the unsafe payload at the unsafe payload queue, at s.Engine.AddUnsafePayload(ctx, envelope), and trigger EngineController.onForkChoiceUpdate.

onForkChoiceUpdate will peek the unsafe payload queue, and only apply when

	// Only process the next payload if it is applicable on top of the current unsafe head.
	// This avoids prematurely attempting to insert non-adjacent payloads (e.g. height gaps),
	// which could otherwise trigger EL sync behavior.
	refParentHash := nextEnvelope.ExecutionPayload.ParentHash
	refBlockNumber := uint64(nextEnvelope.ExecutionPayload.BlockNumber)
	if refParentHash != event.UnsafeL2Head.Hash || refBlockNumber != event.UnsafeL2Head.Number+1 {
		e.log.Debug("Next unsafe payload is not applicable yet",
			"nextHash", nextEnvelope.ExecutionPayload.BlockHash, "nextNumber", refBlockNumber, "unsafe", event.UnsafeL2Head)
		return
	}

	// We don't pop from the queue. If there is a temporary error then we can retry.
	// Upon next forkchoice update or invalid-payload event we can remove it from the queue.
	e.processUnsafePayload(ctx, nextEnvelope)

We specifically need to allow that we may send the unsafe payload to the EL to trigger EL Sync again. This way, EL will get payloads signaled that won't be built on top of the current unsafe head at the EL. The notified EL will actively ask other EL peers to fill in the gap. Meanwhile, op-node will still consolidating and advancing its unsafe heads due to safe head advances. EL and CL will cooperatively close the gap.

[sebastianst]

I don't remember well the details of this part of the codebase, but maybe what needs to happen is that we entirely remove the notion of having different states of the EL node being tracked in the engine controller, removing all those syncStatus... enums and instead rework the code that interacts with the EL in a way that it always reacts properly to the EL being in SYNCING mode?

[ajsutton]

Yep agreed - we want to remove the state tracking entirely. Whenever a new unsafe payload is received via gossip (with the correct signature), we should send it to the EL via engine_newPayload and send it to the EL as the new unsafe payload via engine_forkChoiceUpdated (the finalized and safe heads will be unchanged from the last update and the unsafe/latest head is set to this new block).

One thing to note here is that if the unsafe block does not descend from the safe head, the EL will ultimately find the engine_forkChoiceUpdated call to be invalid. It may know that immediately and so return INVALID from the engine_forkChoiceUpdated call or it may not have the ancestors required to determine it yet and so return SYNCING. Later calls to engine_forkChoiceUpdated may return INVALID once the missing ancestors have been filled in. This can only happen if there's a safe head reorg (very rare but possible) or if the sequencer is misbehaving badly. We avoid this being a problem today because of the code above that checks the unsafe block we're adding builds on the previous unsafe block.

My suggestion is that if we get INVALID in response to engine_forkChoiceUpdated when updating the unsafe payload that we do one of:

1. Reset unsafe head to the last unsafe head we got a VALID response for (not SYNCING!)
2. Reset unsafe head back to the current unsafe head according to the EL
3. Reset unsafe head back to the safe head we're sending
4. Do a full reset of the derivation pipeline

Ultimately the safe head should progress and put us on the same chain as the sequencer and everything will be fine, but the risk with doing a full reset of the pipeline is that a misbehaving sequencer would cause us to constantly reset the pipeline and not make progress advancing safe. Option 1 requires extra tracking so I'd avoid it, but otherwise I'd be tempted to just do 3 and if the unsafe head is already the same as the safe, do a full pipeline reset.

The one other possibility is that the INVALID response to engine_forkChoiceUpdated should contain the last valid block hash and we could rollback to that, but there are some cases where the EL can't provide that info so we'd need another strategy in that case anyway and so it's not really worth the extra complexity to try to leverage this info.

[nonsense]

Thanks @ajsutton and @sebastianst , your comments here are very useful!