Chain halts when validator with >1/3 voting power is unable to sign replayed prevote

[sergio-mena]

Tendermint version (use tendermint version or git rev-parse --verify HEAD if installed from source):

master (v0.37.x), commit is e84ca61

ABCI app

e2e APP

Environment:

Tendermint's CI

What happened:

When running e2e nightly tests, one network fails to make progress at a given point (networks/nightly/gen-group00-0007.toml)

What you expected to happen:

e2e tests should pass

Have you tried the latest version: yes/no

Latest version tried was CI e2e-nightly-test, on 2022-06-08

How to reproduce it (as minimally and precisely as possible):

Couldn't repro on laptop so far. Looks like CI is able to hit it frequently

Logs (paste a small part showing an error (< 10 lines) or link a pastebin, gist, etc. containing more of the log file):

See the Github run

Config (you can paste only the changes you've made):

The testnet is networks/nightly/gen-group00-0007.toml

node command runtime flags:

Please check e2e logs

Please provide the output from the http://<ip>:<port>/dump_consensus_state RPC endpoint for consensus bugs

N/A

Anything else we need to know:

After some inspection in logs and source code, this is what we currently know:

• validator02 restarts [02:52:07], just after it has proposed in height 45, round 0, and it has prevoted for it
• while validator02 is down, network can't progress: validator02 holds >1/3 voting power
• when validator02 restarts it hanshakes (OK) [02:52:20], switches to consensus [02:52:21], and replays the WAL
• validator02 replays its own proposal [02:52:21], which is then seen by the other validators for the first time (so there is connectivity)
• at the moment of replaying its prevote for its own proposal [02:52:21], it finds a conflict between what it last signed (FilePVLastSignState) and what it is supposed to sign now as part of the replay. So it errors out and doesn't send its prevote (as it can't sign it)
• the error seen in the log contains the replayed prevote; looking at its contents it seems a nil prevote, which seems strange as it was its own proposal
• finally, as validator02 errors without being able to send its prevote (whether nil or not) for height 45, round 0. All processes get stuck in height 45, round 0 forever (probably after having prevoted nil), since they can't gather enough voting power worth of prevotes in height 45, round 0 to set up their timeoutPrevote timer and be able to advance to round 1.

As a result of this, the problem seems to be in replaying the prevotes, when the crashed process has >1/3 of the voting power.

The next step should be get a repro with increased log verbosity so we can compare the two prevotes that validator02 is seeing as potential double-signing here

[creachadair]

Really great debugging here.

[sergio-mena]

Really great debugging here.

Thanks, however I'm quite frustrated as I can't repro it, and we need the extra debug logs to find a way to fix this.

[sergio-mena]

I think I found the problem.

• The way I managed to reproduce it locally (my laptop) is by adding a "sleep" for 1 second here
• This way I could repro it with "debug" logging level

When reproing with debug level, we see the following:

• First, validator02 prevotes for the proposal:
  validator02 | 2022-06-10T21:30:39Z DEBUG prevote step: ProposalBlock is valid and there is no locked block; prevoting the proposal height=32 module=consensus round=0
• Then validator02 is restarted
  validator02 | 2022-06-10T21:30:50Z INFO starting service impl=SignerServer service=SignerServer
• Then validator02 completes ABCI hanshake
  validator02 | 2022-06-10T21:30:52Z INFO Completed ABCI Handshake - Tendermint and App are synced appHash="&7F21�\x04�]wl'��)�h\x0f�c>V]~\x01��?LF" appHeight=30 module=handshaker
• and starts replaying the WAL
  validator02 | 2022-06-10T21:30:55Z INFO Catchup by replaying consensus messages height=32 module=consensus
• and, at the end of the replay, it is supposed to resent its prevote again. But this time, as 16 seconds have elapsed from the last time the validator first received the proposal, it is no longer timely from PBTS perspective:
  validator02 | 2022-06-10T21:30:55Z DEBUG prevote step: Proposal is not timely; prevoting nil height=32 module=consensus msg_delay=12000 precision=505 proposed=2022-06-10T21:30:39.13899268Z received=0001-01-01T00:00:00Z round=0
• Finally, privval complains with "conflicting data", and for a reason, as we are trying to sign both non-nil and nil prevotes for height 32, round 0

I think the fix should consist in extending this check here to also check that cs.replayMode is false. I will try this fix tomorrow (since I am now able to repro easily).

[sergio-mena]

Just had a discussion with Daniel. Further discussions spec-wise is needed, w.r.t., the crash recovery model and what can be considered equivocation in that context.
Additionally, we explored the possible solutions and we're not 100% convinced it is easy to fix without changing the WAL format (and thus complicating possible upgrade scenarios).

Assigning the issue to Daniel.

[williambanfield]

In v0.36+, we have the timestamp that the proposal was received in the form of this ReceiveTime field.

tendermint/internal/consensus/state.go

Line 53 in 1062ae7

ReceiveTime time.Time

It seems to me that we could just use this field to determine if the proposal is timely. If the ReceiveTime is within the timely bounds of the proposal's time, then we consider it timely. It appears that, at the moment, that field is not being encoded correctly judged from the logs displaying: received=0001-01-01T00:00:00Z for the field during replay. Looking at the code, this is because the ReceiveTime is not included in the MsgInfo proto that is written into the WAL.

we're not 100% convinced it is easy to fix without changing the WAL format (and thus complicating possible upgrade scenarios.)

I agree, it seems like changing the WAL may be needed and that may have implications across an upgrade. A few things that are worth noting here:

1. The WAL is written and read as a series of proto encoded messages.
2. Deserializing an old version of serialized proto into an updated structure is a completely safe operation, so long as no breaking changes have been made (re-numbering fields for example).
3. If a field is absent from serialized proto, Go will simply set it to the zero value on desrialize (in the case of a time.Time, 0001-01-01T00:00:00Z).

Combining these facts, it seems reasonable to update the WAL format to include the receive time. This would have an implication for a node upgrading. However, we can then be certain that the timestamp is written into the new version and not the old version. It seems safe, therefore, to do the following when reading the WAL:

1. Check if the ReceiveTime is the zero value AND you are doing a WAL read.
2. If 1 is true, issue a prevote so long as all other checks on the proposal pass.

If you are doing a WAL read and see an zero value, ReceiveTime is irrelevant because you are reading an old WAL. Tendermint is therefore safe to issue a prevote, so long as all the other checks pass.

Let me know if I've missed something here.

[williambanfield]

As a side note, it may be worth adding a version field to the WAL that just tracks Tendermint's version to avoid any issue like this, but that is a separate issue.

[cason]

The William's description is in line with the investigations I did with Sergio.

I agree that this is probably the best solution, as it allows the processing when replying messages from the WAL be the same as during the original execution. But I'm not really sure if I understood what will be the impact in terms of retro-compatibility.

Another point: are we writing all messages' receive times to the WAL, or can you only write the Proposal messages' receive times to the WAL? I will favor the second solution, as receive time are not used for any other messages.

[cason]

Maybe I was not clear here: if William's solution doesn't have "undesirable side-effects", it does solve the problem from PBTS's point of view.