Should not prevote locked block when matching proposal not seen

[williambanfield]

There is an additional subtle divergence from the consensus mechanism as outlined in the tendermint paperand the mechanism as implemented in this codebase that was discovered in discussion with @milosevic @josef-widder and @cmwaters .

In the Tendermint paper, a correct process will only issue a prevote for a value v in round r in one of two cases:

case 1: The process receives a proposal issued in round r for value v and receives +2/3 prevotes for the value in round r. [arXiv paper line 30].
case 2: The process receives a proposal issued in round r for value v and previously stored v as its lockedValue. [arXiv paper line 24]

The tendermint implementation diverges slightly from this. If the go consensus algorithm has a locked block in a round it will prevote this locked block even if it did not see a proposal in the round. Additionally, it will prevote its locked block even if it does not match the proposed block.

These inconsistencies should be removed. Namely, the algorithm should be amended to ensure 1) a block was proposed in a round when a process with a locked block is going to prevote and 2) the proposed block matches the process's locked block when it is going to prevote.

[williambanfield]

This is a prerequisite for #2840

[cmwaters]

2. the proposed block matches the process's locked block when it is going to prevote.

It's okay if a validator receives a proposal B but is locked on a different block A to then prevote A i.e. the proposed block doesn't need to match the process's locked block.

[williambanfield]

It's okay if a validator receives a proposal B but is locked on a different block A to then prevote A i.e. the proposed block doesn't need to match the process's locked block.

From my reading of it, this does not appear to be a condition in the paper.

The two lines where a prevote for a non-nil value are issued by a validator are prevotes for the value in the proposal.

[milosevic]

We actually want to get rid of this behaviour (this is how it is currently implemented). A correct process should never prevote non-nil value that is different from a proposed value. The simplest way to think about this is that a proposer proposes a value, and other processes validate the proposal, and then if it is valid prevote for that value, if not prevote nil. Validation of proposal require looking at the (validValue, validRound) proposed and lockedValue and lockedRound; a process will accept proposal if it hasn't locked any value (lockedValue == nil) or if proposed value is more recent than the locked value. We also in the paper allow process to prevote for proposal if the proposed value is equal to locked value, but that can be seen as an optimisation as it is not needed for correctness. Accountable Tendermint version actually requires to get rid of this rule, as it is needed for simpler fork accountability algorithm.

[cmwaters]

Ok. I was simply going off the code.

Just to reiterate then: If you lock on block A, and in the following round block B is proposed then you would prevote nil